TechSpot

PC Performance & Stability Analysis Report - removal thereof

By Svobod
Jul 19, 2011
  1. My beloved 9 year old appears to have clicked something he shouldn't have, and now, his computer is crashing constantly, telling us his hard drive is corrupt, I have followed the 7 steps sticky and his computer doesn't seem to be crashing, but, it's still got a black desktop and nothing in the programs menu.

    Hopefully I have all the logs i need, and in the right order:

    Malwarebytes Anti-Malware

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7197

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19088

    19/07/2011 8:00:10 PM
    mbam-log-2011-07-19 (20-00-09).txt

    Scan type: Quick scan
    Objects scanned: 159330
    Time elapsed: 16 minute(s), 36 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 4
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\MightyMagooText.Linker (PUP.MightyMagoo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\MightyMagooText.Linker.1 (PUP.MightyMagoo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\APPID\MightyMagooText.DLL (PUP.MightyMagoo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\AppDataLow\mmagootl (PUP.MightyMagoo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MightyMagoo (PUP.MightyMagoo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\program files\mighty magoo (PUP.MightyMagoo) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com (PUP.MightyMagoo) -> Delete on reboot.
    c:\Users\User\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome (PUP.MightyMagoo) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components (PUP.MightyMagoo) -> Quarantined and deleted successfully.

    Files Infected:
    c:\program files\mighty magoo\ars.cfg (PUP.MightyMagoo) -> Quarantined and deleted successfully.
    c:\program files\mighty magoo\icon.ico (PUP.MightyMagoo) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome.manifest (PUP.MightyMagoo) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\install.rdf (PUP.MightyMagoo) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome\mmtextlinks.jar (PUP.MightyMagoo) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components\mmagootlf.xpt (PUP.MightyMagoo) -> Quarantined and deleted successfully.


    Step 3 GMER

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-07-19 20:18:29
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.LB11
    Running: download[1].exe; Driver: C:\Users\User\AppData\Local\Temp\kwtdapob.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8DD90398]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    DDS Attach Txt

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-07-14.01)
    .
    Microsoft® Windows Vista™ Business
    Boot Device: \Device\HarddiskVolume2
    Install Date: 1/08/2010 7:32:49 AM
    System Uptime: 19/07/2011 8:03:50 PM (0 hours ago)
    .
    Motherboard: Intel Corporation | | SANTA ROSA CRB
    Processor: Intel(R) Pentium(R) Dual CPU T2330 @ 1.60GHz | U2E1 | 1600/mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 143 GiB total, 94.707 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Atheros Driver Installation Program
    avast! Free Antivirus
    Blue Coat K9 Web Protection 4.2.89
    Bluetooth Stack for Windows by Toshiba
    Bonjour
    Camera Assistant Software for Toshiba
    CD/DVD Drive Acoustic Silencer
    Conduit Engine
    D3DX10
    Definition update for Microsoft Office 2010 (KB982726)
    DVD MovieFactory for TOSHIBA
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel Matrix Storage Manager
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Java(TM) SE Runtime Environment 6
    Junk Mail filter update
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Marvell Miniport Driver
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Home and Student 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Single Image 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft XML Parser
    MSVCRT
    Online Oryte Games Toolbar
    Plants vs. Zombies
    Plants vs. Zombies - Game of the Year
    PriceGong 2.1.0
    QuickTime
    Realtek High Definition Audio Driver
    Roblox for User
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft Excel 2010 (KB2523021)
    Security Update for Microsoft Office 2010 (KB2289078)
    Security Update for Microsoft Office 2010 (KB2289161)
    Security Update for Microsoft PowerPoint 2010 (KB2519975)
    Security Update for Microsoft Publisher 2010 (KB2409055)
    Security Update for Microsoft Word 2010 (KB2345000)
    Security Update for Windows Media Encoder (KB2447961)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Encoder (KB979332)
    Segoe UI
    Spybot - Search & Destroy
    Synaptics Pointing Device Driver
    TeamViewer 6
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TIPCI
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Hardware Setup
    TOSHIBA Recovery Disc Creator
    TOSHIBA SD Memory Utilities
    TOSHIBA Software Modem
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    Unity Web Player
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2010 (KB2202188)
    Update for Microsoft Office 2010 (KB2413186)
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2523113)
    Update for Microsoft OneNote 2010 (KB2493983)
    Update for Microsoft Outlook Social Connector (KB2441641)
    WildTangent Games
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Media Encoder 9 Series
    Wizard101
    .
    ==== End Of File ===========================


    DDS txt

    DDS (Ver_2011-07-14.01) - NTFS_x86
    Internet Explorer: 8.0.6001.19088
    Run by User at 20:20:13 on 2011-07-19
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.61.1033.18.1014.130 [GMT 10:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
    C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Windows\System32\Drivers\WTSRV.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\TeamViewer\Version6\TeamViewer.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    C:\Program Files\Toshiba\SmoothView\SmoothView.exe
    C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
    C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Windows\System32\WTClient.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10q_ActiveX.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\RacAgent.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com.au/
    uURLSearchHooks: Online Oryte Games Toolbar: {b4eeda34-67a2-4915-a821-4f22f093fec1} - c:\program files\online_oryte_games\tbOnli.dll
    mURLSearchHooks: Online Oryte Games Toolbar: {b4eeda34-67a2-4915-a821-4f22f093fec1} - c:\program files\online_oryte_games\tbOnli.dll
    BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: PriceGongBHO Class: {1631550F-191D-4826-B069-D9439253D926} - c:\program files\pricegong\2.1.0\PriceGongIE.dll
    BHO: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0\bin\ssv.dll
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
    BHO: Online Oryte Games Toolbar: {b4eeda34-67a2-4915-a821-4f22f093fec1} - c:\program files\online_oryte_games\tbOnli.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
    TB: Online Oryte Games Toolbar: {B4EEDA34-67A2-4915-A821-4F22F093FEC1} - c:\program files\online_oryte_games\tbOnli.dll
    TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll
    TB: Online Oryte Games Toolbar: {b4eeda34-67a2-4915-a821-4f22f093fec1} - c:\program files\online_oryte_games\tbOnli.dll
    TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [PcsbRFwAfQo] c:\programdata\PcsbRFwAfQo.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE
    mRun: [SmoothView] c:\program files\toshiba\smoothview\SmoothView.exe
    mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
    mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
    mRun: [ZTOSComp] wscript c:\windows\setup\scripts\toscomp\CompInst.VBS //b
    mRun: [Skytel] Skytel.exe
    mRun: [WTClient] WTClient.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
    mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: NameServer = 211.29.152.116 198.142.0.51 211.29.132.12
    TCP: Interfaces\{6D36363A-E3EF-4053-B68C-6EC19D654E44} : DHCPNameServer = 211.29.152.116 198.142.0.51 211.29.132.12
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    Notify: igfxcui - igfxdev.dll
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\windows mail\WinMail.exe" OCInstallUserConfigOE
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-19 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-7-19 309848]
    R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2011-3-22 82832]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-7-19 19544]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-7-19 54104]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-4-20 7168]
    R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [2007-6-8 18944]
    S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-18 39272]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-19 41272]
    S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\drivers\PTSimHid.sys [2007-4-24 10752]
    .
    =============== Created Last 30 ================
    .
    2011-07-19 09:39:49 -------- d-----w- c:\users\user\appdata\roaming\Malwarebytes
    2011-07-19 09:38:33 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-19 09:38:25 -------- d-----w- c:\programdata\Malwarebytes
    2011-07-19 09:38:16 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-19 09:38:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-19 04:33:27 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-07-19 04:33:17 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-07-19 04:30:37 40112 ----a-w- c:\windows\avastSS.scr
    2011-07-19 04:29:59 -------- d--h--w- c:\programdata\AVAST Software
    2011-07-19 04:29:58 -------- d-----w- c:\program files\AVAST Software
    2011-07-18 11:00:16 -------- d--h--w- c:\programdata\Spybot - Search & Destroy
    2011-07-18 11:00:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-07-18 10:39:37 -------- d--h--w- c:\users\user\appdata\local\{6D29573D-9EAA-4B85-90CC-79448AB821E0}
    2011-07-15 21:53:05 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{cbcee4bb-87ac-4886-9bac-34e7eb979ecb}\mpengine.dll
    2011-07-13 04:28:38 2043392 ----a-w- c:\windows\system32\win32k.sys
    2011-07-13 04:27:22 375808 ----a-w- c:\windows\system32\winsrv.dll
    2011-07-13 04:27:19 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2011-07-03 01:51:20 -------- d--h--w- c:\users\user\appdata\local\{F3398B56-BEAC-4F85-848B-0C48C4755A44}
    2011-07-01 06:14:02 276992 ----a-w- c:\windows\system32\schannel.dll
    .
    ==================== Find3M ====================
    .
    2011-05-28 06:08:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-05-28 06:04:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-05-28 06:04:17 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-05-28 06:04:03 71680 ----a-w- c:\windows\system32\iesetup.dll
    2011-05-28 06:04:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2011-05-28 05:10:26 385024 ----a-w- c:\windows\system32\html.iec
    2011-05-28 04:33:03 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-05-28 04:31:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-05-24 09:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-15 02:45:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-02 17:16:14 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 13:25:10 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-04-29 13:25:09 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-04-29 13:24:50 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-04-29 13:24:42 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-04-29 13:24:40 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-21 13:58:27 273408 ----a-w- c:\windows\system32\drivers\afd.sys
    .
    ============= FINISH: 20:23:28.20 ===============


    Any help would be gratefully appreciated
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware.

    That sweet little guy seems to be fond of a program called Mighty Magoo. I suspect there are a few other characters around.

    Can you get into the system at all? Past the black screen? I'm going to check out Magoo the the rest of the logs, but I need to know if 1. there is access into the system and 2. if there is internet access.
     
  3. Svobod

    Svobod TS Rookie Topic Starter

    Thanks, yes, I can get into the system. Running through the 7 steps seems to have stopped the pop ups and system shut downs.

    To get to the internet I just have to type in internet and it'll find it that way.

    I daresay the mighty magoo is attached to some kids site and attaches that way


    thanks for your help.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well, Magoo has got the little guy around the nect! There is a deactivator, but it is on the Magoo site. My site advisor (WOT) warns me that it is a bad site and Firefox won't load it!

    But it does seem to be in Add/Remove Programs in the Control Panel. Please check there, and if seen, uninstall from there. Then use Windows Explorer to access My Computer> Local Drive> Programs and do a right click> Delete on the folder.
    =================================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ============================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =======================================
    After the system is clean, consider using the Content Advisor to set some restriction for the internet access.
     
  5. Svobod

    Svobod TS Rookie Topic Starter

    I wasn't able to find Magoo in the Add/Remove Programs or in the Programs folder

    ---------

    Combofix log

    ComboFix 11-07-20.05 - User 21/07/2011 11:18:42.1.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.61.1033.18.1014.341 [GMT 10:00]
    Running from: c:\users\User\Downloads\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Repair.lnk
    c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Repair
    c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Repair\System Repair.lnk
    c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Repair\Uninstall System Repair.lnk
    c:\users\User\Desktop\System Repair.lnk
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\windows\Downloaded Program Files\popcaploader.inf
    .
    Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
    Restored copy from - c:\combofix\HarddiskVolumeShadowCopy2_!Windows!System32!kernel32.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-21 to 2011-07-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-21 01:31 . 2011-07-21 01:38 -------- d-----w- c:\users\User\AppData\Local\temp
    2011-07-21 01:31 . 2011-07-21 01:31 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-07-19 22:51 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{87CB4467-3436-4D8B-A4F8-5E5CFCDC4108}\mpengine.dll
    2011-07-19 09:39 . 2011-07-19 09:39 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
    2011-07-19 09:38 . 2011-07-06 09:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-19 09:38 . 2011-07-19 09:38 -------- d-----w- c:\programdata\Malwarebytes
    2011-07-19 09:38 . 2011-07-06 09:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-19 09:38 . 2011-07-19 09:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-19 04:33 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-07-19 04:33 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-07-19 04:33 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-07-19 04:33 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-07-19 04:33 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-07-19 04:33 . 2011-07-04 11:32 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-07-19 04:30 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
    2011-07-19 04:30 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-07-19 04:29 . 2011-07-19 04:29 -------- d--h--w- c:\programdata\AVAST Software
    2011-07-19 04:29 . 2011-07-19 04:29 -------- d-----w- c:\program files\AVAST Software
    2011-07-18 11:00 . 2011-07-19 04:34 -------- d--h--w- c:\programdata\Spybot - Search & Destroy
    2011-07-18 11:00 . 2011-07-18 11:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-07-13 04:28 . 2011-06-02 13:34 2043392 ----a-w- c:\windows\system32\win32k.sys
    2011-07-13 04:27 . 2011-04-20 15:55 375808 ----a-w- c:\windows\system32\winsrv.dll
    2011-07-13 04:27 . 2011-04-20 15:50 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2011-07-01 06:14 . 2011-04-29 15:59 276992 ----a-w- c:\windows\system32\schannel.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-28 06:08 . 2011-06-16 21:48 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-05-28 06:04 . 2011-06-16 21:48 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-05-28 06:04 . 2011-06-16 21:48 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-05-28 06:04 . 2011-06-16 21:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2011-05-28 06:04 . 2011-06-16 21:48 71680 ----a-w- c:\windows\system32\iesetup.dll
    2011-05-28 05:10 . 2011-06-16 21:48 385024 ----a-w- c:\windows\system32\html.iec
    2011-05-28 04:33 . 2011-06-16 21:48 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-05-28 04:31 . 2011-06-16 21:48 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-05-24 09:14 . 2010-10-30 04:03 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-15 02:45 . 2011-05-15 02:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-02 17:16 . 2011-06-16 21:48 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 13:25 . 2011-06-16 21:48 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-04-29 13:25 . 2011-06-16 21:48 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-04-29 13:24 . 2011-06-16 21:48 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-04-29 13:24 . 2011-06-16 21:48 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-04-29 13:24 . 2011-06-16 21:48 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{b4eeda34-67a2-4915-a821-4f22f093fec1}"= "c:\program files\Online_Oryte_Games\tbOnli.dll" [2010-10-18 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{b4eeda34-67a2-4915-a821-4f22f093fec1}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2010-10-18 01:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b4eeda34-67a2-4915-a821-4f22f093fec1}]
    2010-10-18 01:26 3908192 ----a-w- c:\program files\Online_Oryte_Games\tbOnli.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{b4eeda34-67a2-4915-a821-4f22f093fec1}"= "c:\program files\Online_Oryte_Games\tbOnli.dll" [2010-10-18 3908192]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{b4eeda34-67a2-4915-a821-4f22f093fec1}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{B4EEDA34-67A2-4915-A821-4F22F093FEC1}"= "c:\program files\Online_Oryte_Games\tbOnli.dll" [2010-10-18 3908192]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{b4eeda34-67a2-4915-a821-4f22f093fec1}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-01-22 417792]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZTOSComp"="wscript" [X]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-29 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-29 154392]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-29 133912]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-03-14 4399104]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-13 1348904]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 448632]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-03-23 538744]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-03-22 413696]
    "Skytel"="Skytel.exe" [2007-03-13 1822720]
    "WTClient"="WTClient.exe" [2009-10-30 32768]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
    .
    c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-07 136176]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-07 136176]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
    R3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\DRIVERS\PTSimHid.sys [2007-04-23 10752]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2011-03-21 82832]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104]
    S2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2011-03-21 1461520]
    S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-01-27 2253688]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
    S3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\DRIVERS\PTSimBus.sys [2007-06-07 18944]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-07 04:30]
    .
    2011-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-07 04:30]
    .
    2011-07-20 c:\windows\Tasks\User_Feed_Synchronization-{A2F6BFEF-D7DA-4E42-97CF-15F2C57C2E21}.job
    - c:\windows\system32\msfeedssync.exe [2011-06-16 04:32]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 211.29.152.116 198.142.0.51 211.29.132.12
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-PcsbRFwAfQo - c:\programdata\PcsbRFwAfQo.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-21 11:37
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????3u??0??(???P?????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\windows\System32\Drivers\WTSRV.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\program files\TeamViewer\Version6\TeamViewer.exe
    c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-21 11:57:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-21 01:57
    .
    Pre-Run: 118,632,419,328 bytes free
    Post-Run: 118,937,395,200 bytes free
    .
    - - End Of File - - 38E41FF41D1DB43DF4AFA9C92412B1C9


    ---------------------

    ESET Log

    C:\Users\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\5a2a347a-3693f052 multiple threats


    Is that all it should be?



    thank you for all your help
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Glad to help. Yes, the one entry in Eset is okay. It is actually for multiple entries in the Java cache> so you empty it:

    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    ==================================================
    I am seeing the infections in the Java cache frequently. Every one of them has had outdated versions of Java on the system, which are vulnerabilities. Even if you get the most current version, it doesn't overwrite the old ones and they must be removed manually in Add/Remove Programs.

    This system is 26 updates out of date as it has only Java(TM) SE Runtime Environment 6. Please update to the current v6u26: Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    =====================================================
    Please go on to the next reply.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Combofix has removed files for the popcaploader.: This is called 'legal' adware called PopCap Loader from PopCap Games company. It is a Web plug-in that provides Web update features for games. It is popular but comes with a lot of the 'legal adware'. Since your little guy managed to access a site tht the browser should have blocked, I am removing some of the entries that made that easier:
    ====================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Folder::
    c:\users\user\appdata\local\{F3398B56-BEAC-4F85-848B-0C48C4755A44}
    DDS::
    uURLSearchHooks: Online Oryte Games Toolbar: {b4eeda34-67a2-4915-a821-4f22f093fec1} - c:\program files\online_oryte_games\tbOnli.dll
    mURLSearchHooks: Online Oryte Games Toolbar: {b4eeda34-67a2-4915-a821-4f22f093fec1} - c:\program files\online_oryte_games\tbOnli.dll
    BHO: PriceGongBHO Class: {1631550F-191D-4826-B069-D9439253D926} - c:\program files\pricegong\2.1.0\PriceGongIE.dll
    BHO: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll
    BHO: Online Oryte Games Toolbar: {b4eeda34-67a2-4915-a821-4f22f093fec1} - c:\program files\online_oryte_games\tbOnli.dll
    TB: Online Oryte Games Toolbar: {B4EEDA34-67A2-4915-A821-4F22F093FEC1} - c:\program files\online_oryte_games\tbOnli.dll
    TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll
    TB: Online Oryte Games Toolbar: {b4eeda34-67a2-4915-a821-4f22f093fec1} - c:\program files\online_oryte_games\tbOnli.dll
    TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{b4eeda34-67a2-4915-a821-4f22f093fec1}"=-
    [HKEY_CLASSES_ROOT\clsid\{b4eeda34-67a2-4915-a821-4f22f093fec1}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b4eeda34-67a2-4915-a821-4f22f093fec1}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{b4eeda34-67a2-4915-a821-4f22f093fec1}"=-
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
    [HKEY_CLASSES_ROOT\clsid\{b4eeda34-67a2-4915-a821-4f22f093fec1}]
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{B4EEDA34-67A2-4915-A821-4F22F093FEC1}"=-
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
    [HKEY_CLASSES_ROOT\clsid\{b4eeda34-67a2-4915-a821-4f22f093fec1}]
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ================================================
    Please uninstall the following:
    Conduit Engine
    Online Oryte Games Toolbar
    PriceGong 2.1.0

    Then use Windows Explorer> My Computer> Local Drive> Program> do a right click> Delete on each of the program folders.
    ================================================
    Suggest you put a site advisor on the system. I recommend >
    The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

    Every time you do a search and the screen comes up with the sites, they will have the rating light:
    Green (2 shades)> Good to go.
    Amber/Yellow> use Caution,
    Red> not advised.

    If you want to link to another site from the page you're on o another, WOT will give you an Alert that the site is known for fraudulent entries, unreliable or other and the site won't load. Don't worry- those Alerts don't happen if you still to the green rating.
     
  8. Svobod

    Svobod TS Rookie Topic Starter

    Thank you, done those steps.

    This is the combo fix log

    ComboFix 11-07-20.05 - User 22/07/2011 4:35.2.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.61.1033.18.1014.299 [GMT 10:00]
    Running from: c:\users\User\Downloads\ComboFix.exe
    Command switches used :: c:\users\User\Downloads\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\conduitengine\ConduitEngine.dll
    c:\program files\online_oryte_games\tbOnli.dll
    c:\program files\pricegong\2.1.0\PriceGongIE.dll
    c:\users\user\appdata\local\{F3398B56-BEAC-4F85-848B-0C48C4755A44}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-21 to 2011-07-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-21 18:46 . 2011-07-21 18:46 -------- d-----w- c:\users\User\AppData\Local\temp
    2011-07-21 18:46 . 2011-07-21 18:46 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-07-21 18:12 . 2011-07-21 18:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-21 02:03 . 2011-07-21 02:03 -------- d-----w- c:\program files\ESET
    2011-07-19 22:51 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{87CB4467-3436-4D8B-A4F8-5E5CFCDC4108}\mpengine.dll
    2011-07-19 09:39 . 2011-07-19 09:39 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
    2011-07-19 09:38 . 2011-07-06 09:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-19 09:38 . 2011-07-19 09:38 -------- d-----w- c:\programdata\Malwarebytes
    2011-07-19 09:38 . 2011-07-06 09:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-19 09:38 . 2011-07-19 09:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-19 04:33 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-07-19 04:33 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-07-19 04:33 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-07-19 04:33 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-07-19 04:33 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-07-19 04:33 . 2011-07-04 11:32 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-07-19 04:30 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
    2011-07-19 04:30 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-07-19 04:29 . 2011-07-19 04:29 -------- d-----w- c:\programdata\AVAST Software
    2011-07-19 04:29 . 2011-07-19 04:29 -------- d-----w- c:\program files\AVAST Software
    2011-07-18 11:00 . 2011-07-19 04:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-07-18 11:00 . 2011-07-18 11:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-07-13 04:28 . 2011-06-02 13:34 2043392 ----a-w- c:\windows\system32\win32k.sys
    2011-07-13 04:27 . 2011-04-20 15:55 375808 ----a-w- c:\windows\system32\winsrv.dll
    2011-07-13 04:27 . 2011-04-20 15:50 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2011-07-01 06:14 . 2011-04-29 15:59 276992 ----a-w- c:\windows\system32\schannel.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-28 06:08 . 2011-06-16 21:48 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-05-28 06:04 . 2011-06-16 21:48 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-05-28 06:04 . 2011-06-16 21:48 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-05-28 06:04 . 2011-06-16 21:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2011-05-28 06:04 . 2011-06-16 21:48 71680 ----a-w- c:\windows\system32\iesetup.dll
    2011-05-28 05:10 . 2011-06-16 21:48 385024 ----a-w- c:\windows\system32\html.iec
    2011-05-28 04:33 . 2011-06-16 21:48 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-05-28 04:31 . 2011-06-16 21:48 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-05-24 09:14 . 2010-10-30 04:03 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-15 02:45 . 2011-05-15 02:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-02 17:16 . 2011-06-16 21:48 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 13:25 . 2011-06-16 21:48 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-04-29 13:25 . 2011-06-16 21:48 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-04-29 13:24 . 2011-06-16 21:48 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-04-29 13:24 . 2011-06-16 21:48 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-04-29 13:24 . 2011-06-16 21:48 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-01-22 417792]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZTOSComp"="wscript" [X]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-29 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-29 154392]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-29 133912]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-03-14 4399104]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-13 1348904]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 448632]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-03-23 538744]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-03-22 413696]
    "Skytel"="Skytel.exe" [2007-03-13 1822720]
    "WTClient"="WTClient.exe" [2009-10-30 32768]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
    .
    c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-07 136176]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-07 136176]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
    R3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\DRIVERS\PTSimHid.sys [2007-04-23 10752]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2011-03-21 82832]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104]
    S2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2011-03-21 1461520]
    S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-01-27 2253688]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
    S3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\DRIVERS\PTSimBus.sys [2007-06-07 18944]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-07 04:30]
    .
    2011-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-07 04:30]
    .
    2011-07-21 c:\windows\Tasks\User_Feed_Synchronization-{A2F6BFEF-D7DA-4E42-97CF-15F2C57C2E21}.job
    - c:\windows\system32\msfeedssync.exe [2011-06-16 04:32]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 211.29.152.116 198.142.0.51 211.29.132.12
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-22 04:46
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????3u??0??(???P?????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2011-07-22 04:51:07
    ComboFix-quarantined-files.txt 2011-07-21 18:51
    ComboFix2.txt 2011-07-21 01:58
    .
    Pre-Run: 115,797,278,720 bytes free
    Post-Run: 115,467,788,288 bytes free
    .
    - - End Of File - - 646E9CAFF28B3FEDC6B3E9EFFAE04DE7


    The desktop is still black and the start button doesn't show any programs.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This should help:
    Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    ================================================
    Then I'd like you to do the following: Okay to use the download already on the system:>>
    Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Pad before copying the log to paste in your next reply.
     
  10. Svobod

    Svobod TS Rookie Topic Starter

    I think this is looking good......


    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7197

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19088

    23/07/2011 1:32:52 PM
    mbam-log-2011-07-23 (13-32-52).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 273277
    Time elapsed: 1 hour(s), 25 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    I've got WOT running and Avaast, is there anything else I should add?
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you run Unhide? Did it restore missing entries? I am going to leave some security tips in the next reply.
    ===================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZTOSComp"=-
    RegLockDel::
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TOSCDSPD =-
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . No log needed.
    ====================
    There is a hidden files you need to remove:
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    ------------------------------------------
    Using Windows Explorer (Right click on Start> Explore)> Go to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'hide protected system files (Recommended)'> Confirm Yes> Apply> OK.

    Go to My Computer> Double click on Local Drive(C)> Programs> Find this Toshiba folder C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe> and open> Find toscdspd.exe> Do a right click> Delete.

    Please re-hide the files when finished and close Windows Explorer
    =============================================
    What we've done is remove what is seen now. If you want to try and protect a young person, you need to set up some filters using the Content Advisor in Internet Options. If there is a way to do it, it would be good if a filter could be set up so only sites rated as safe by the WOT green light could be opened on his account.
    ==============================================
    If the malware problems have been resolved:
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Please see additional security tips in next reply.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editior in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o] [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      Clean the temporary internet files often:
      [o] ATF Cleaner by Atribune
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
    ================================================
     
  13. Svobod

    Svobod TS Rookie Topic Starter

    Thank you so much. I now have a cleaned up computer to give back to my son.

    Everything appears to be clean now and working.

    I really appreciate your time and help.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're very welcome! Don't forget to check out the Content Advisor in the browser.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...