PC Performance & Stability analysis report Virus (False security system report)

Inactive
By tarynator
Jul 9, 2011
Topic Status:
Not open for further replies.
  1. Hello all,

    My mom's laptop has become infected with this PC Performance virus, all icons on the desktop are missing, the wallpaper is black, and there are endless pop ups saying there are errors and to install a fake security system. I've had an infection similar to this on my personal laptop and was able to remove it, but this one has me stumped.

    Here are the logs:


    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6705

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19088

    09/07/2011 11:28:34 AM
    mbam-log-2011-07-09 (11-28-34).txt

    Scan type: Quick scan
    Objects scanned: 197726
    Time elapsed: 11 minute(s), 8 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    c:\programdata\43900664.exe (Trojan.Agent) -> 4916 -> Failed to unload process.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\programdata\43900664.exe (Trojan.Agent) -> Quarantined and deleted successfully.

    --------------------------

    GMER log is empty

    --------------------------

    I am running DDS on her laptop now... and it's taking a VERY long time. I'll have to get back to you on this one. But in the meantime, if there is any tips anyone can give me to get rid of this bugger it'd be greatly appreciated. I only have today to get this computer fixed.

    Thanks
  2. tarynator

    tarynator Newcomer, in training Topic Starter

    .
    DDS (Ver_2011-06-23.01) - NTFSAMD64
    Internet Explorer: 8.0.6001.19088
    Run by Home at 11:55:25 on 2011-07-09
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3070.1222 [GMT -4:00]
    .
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files (x86)\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    c:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio64.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    C:\Program Files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files (x86)\GamesBar\SearchEngineProtection.exe
    C:\ProgramData\rGDEAIvvgrLJejA.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
    C:\Program Files (x86)\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    C:\Program Files (x86)\PC Tools Security\pctsGui.exe
    C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\SysWOW64\conime.exe
    C:\ProgramData\42458872.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\REGSVR32.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.ca/
    uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    uURLSearchHooks: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - C:\Users\Home\AppData\LocalLow\CyberDefender\cdmyidd.dll
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    mURLSearchHooks: TranslatorBar 3.2 Toolbar: {c55f5517-246e-4426-b745-ee25b08eb8b4} - C:\Program Files (x86)\TranslatorBar_3.2\tbTra2.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngin.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - C:\Users\Home\AppData\LocalLow\CyberDefender\cdmyidd.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
    BHO: TranslatorBar 3.2 Toolbar: {c55f5517-246e-4426-b745-ee25b08eb8b4} - C:\Program Files (x86)\TranslatorBar_3.2\tbTra2.dll
    BHO: GamesBarBHO Class: {cb0d163c-e9f4-4236-9496-0597e24b23a5} - C:\Program Files (x86)\GamesBar\2.0.1.59\oberontb.dll
    TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - C:\Users\Home\AppData\LocalLow\CyberDefender\cdmyidd.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: GamesBar: {6f282b65-56bf-4bd1-a8b2-a4449a05863d} - C:\Program Files (x86)\GamesBar\2.0.1.59\oberontb.dll
    TB: TranslatorBar 3.2 Toolbar: {c55f5517-246e-4426-b745-ee25b08eb8b4} - C:\Program Files (x86)\TranslatorBar_3.2\tbTra2.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngin.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    uRun: [SearchEngineProtection] C:\Program Files (x86)\Gamesbar\SearchEngineProtection.exe
    uRun: [rGDEAIvvgrLJejA] C:\ProgramData\rGDEAIvvgrLJejA.exe
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    mRun: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
    mRun: [Symantec PIF AlertEng] "C:\Program Files (x86)\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files (x86)\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    mRun: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
    mRun: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRun: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
    IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files (x86)\GamesBar\2.0.1.59\oberontb.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    LSP: C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
    DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files%20(x86)/Vacation%20Quest%20-%20The%20Hawaiian%20Islands/Images/stg_drm.ocx
    DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://games.ca.zone.msn.com/bingame/amun/default/mjolauncher.cab
    DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
    DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} - hxxp://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{D4FF19B8-CDA5-4CC1-B6B1-09EA51DEF22B} : DhcpNameServer = 192.168.1.1
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    BHO-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngin.dll
    BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: MyIdentityDefender: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Users\Home\AppData\LocalLow\CyberDefender\cdmyidd.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: TranslatorBar 3.2 Toolbar: {c55f5517-246e-4426-b745-ee25b08eb8b4} - C:\Program Files (x86)\TranslatorBar_3.2\tbTra2.dll
    BHO-X64: GamesBarBHO Class: {CB0D163C-E9F4-4236-9496-0597E24B23A5} - C:\Program Files (x86)\GamesBar\2.0.1.59\oberontb.dll
    TB-X64: MyIdentityDefender: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Users\Home\AppData\LocalLow\CyberDefender\cdmyidd.dll
    TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB-X64: GamesBar: {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files (x86)\GamesBar\2.0.1.59\oberontb.dll
    TB-X64: TranslatorBar 3.2 Toolbar: {c55f5517-246e-4426-b745-ee25b08eb8b4} - C:\Program Files (x86)\TranslatorBar_3.2\tbTra2.dll
    TB-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngin.dll
    TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB-X64: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    mRun-x64: [NDSTray.exe] NDSTray.exe
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    mRun-x64: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
    mRun-x64: [Symantec PIF AlertEng] "C:\Program Files (x86)\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files (x86)\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    mRun-x64: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
    mRun-x64: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRun-x64: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 PCTCore;PCTools KDS;C:\Windows\system32\drivers\PCTCore64.sys --> C:\Windows\system32\drivers\PCTCore64.sys [?]
    R0 pctDS;PC Tools Data Store;C:\Windows\system32\drivers\pctDS64.sys --> C:\Windows\system32\drivers\pctDS64.sys [?]
    R0 pctEFA;PC Tools Extended File Attributes;C:\Windows\system32\drivers\pctEFA64.sys --> C:\Windows\system32\drivers\pctEFA64.sys [?]
    R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\system32\DRIVERS\tos_sps64.sys --> C:\Windows\system32\DRIVERS\tos_sps64.sys [?]
    R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
    R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-2-22 366640]
    R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-3 175104]
    R3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]
    R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDART64.sys --> C:\Windows\system32\drivers\CHDART64.sys [?]
    R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
    R3 NETw4v64;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw4v64.sys --> C:\Windows\system32\DRIVERS\NETw4v64.sys [?]
    R3 O2MDRDR;O2MDRDR;C:\Windows\system32\DRIVERS\o2mdx64.sys --> C:\Windows\system32\DRIVERS\o2mdx64.sys [?]
    R3 O2SDRDR;O2SDRDR;C:\Windows\system32\DRIVERS\o2sdx64.sys --> C:\Windows\system32\DRIVERS\o2sdx64.sys [?]
    R3 QIOMem;Generic IO & Memory Access;C:\Windows\system32\DRIVERS\QIOMem.sys --> C:\Windows\system32\DRIVERS\QIOMem.sys [?]
    R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
    S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;\??\C:\Windows\system32\drivers\BVRPMPR5a64.SYS --> C:\Windows\system32\drivers\BVRPMPR5a64.SYS [?]
    S3 fssfltr;FssFltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
    S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-10 89920]
    .
    =============== File Associations ===============
    .
    JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
    .
    =============== Created Last 30 ================
    .
    2011-07-09 15:34:05 378880 ---ha-w- C:\ProgramData\42458872.exe
    2011-07-09 14:21:35 816016 ----a-w- C:\Windows\System32\drivers\pctEFA64.sys
    2011-07-09 14:21:34 452872 ----a-w- C:\Windows\System32\drivers\pctDS64.sys
    2011-07-09 14:21:32 334976 ----a-w- C:\Windows\System32\drivers\pctgntdi64.sys
    2011-07-09 14:21:32 137704 ----a-w- C:\Windows\System32\drivers\pctwfpfilter64.sys
    2011-07-09 14:21:26 257232 ----a-w- C:\Windows\System32\drivers\PCTCore64.sys
    2011-07-09 14:21:21 92896 ----a-w- C:\Windows\System32\drivers\pctplsg64.sys
    2011-07-09 14:21:16 -------- d--h--w- C:\Users\Home\AppData\Roaming\PC Tools
    2011-07-09 14:21:16 -------- d-----w- C:\Program Files (x86)\PC Tools Security
    2011-07-09 14:21:16 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
    2011-07-09 14:20:09 -------- d--h--w- C:\ProgramData\PC Tools
    2011-07-09 13:44:09 -------- d--h--w- C:\Users\Home\AppData\Local\{6378E4A8-21F1-443A-AF87-142D4D4FA95D}
    2011-07-09 04:32:42 458752 ---ha-w- C:\ProgramData\rGDEAIvvgrLJejA.exe
    2011-07-09 01:38:32 -------- d--h--w- C:\Users\Home\AppData\Local\{181D5A3A-2417-46B1-8963-803E1A8A300A}
    2011-07-08 13:38:11 -------- d--h--w- C:\Users\Home\AppData\Local\{0680E94B-DC68-4B5C-9388-EE6A81CFE783}
    2011-07-08 12:08:54 8873296 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7D0545BA-98FB-48EB-A24F-07EDAC86D517}\mpengine.dll
    2011-07-08 01:37:38 -------- d--h--w- C:\Users\Home\AppData\Local\{9AA090D9-3AEF-49AF-A654-F24F5D09763E}
    2011-07-07 13:37:17 -------- d--h--w- C:\Users\Home\AppData\Local\{1F73EADD-BD02-4318-AAFD-C32A4A4329F1}
    2011-07-07 01:36:40 -------- d--h--w- C:\Users\Home\AppData\Local\{3EC4955B-65D5-4BA5-88A7-7484ACC2986A}
    2011-07-06 12:26:33 -------- d--h--w- C:\Users\Home\AppData\Local\{8BD90E75-0E66-4349-BD88-AD4E4E7D32E9}
    2011-07-05 23:57:40 -------- d--h--w- C:\Users\Home\AppData\Local\{0E390C64-405B-46BC-82E3-AD0F98EAD683}
    2011-07-05 11:56:58 -------- d--h--w- C:\Users\Home\AppData\Local\{88CE1ACC-9D0C-4279-9048-F6F845AE31EE}
    2011-07-04 22:35:47 -------- d--h--w- C:\Users\Home\AppData\Local\{BF4962A0-C3F9-477C-82A4-321B2B8D2B51}
    2011-07-04 10:35:10 -------- d--h--w- C:\Users\Home\AppData\Local\{6D09FD59-C69D-4C85-BBD9-73A3280375B4}
    2011-07-03 12:55:25 -------- d--h--w- C:\Users\Home\AppData\Local\{1AD32C43-F855-4EE3-961B-087F68FF6C6D}
    2011-07-01 13:19:06 -------- d--h--w- C:\Users\Home\AppData\Local\{2C9A7B84-1A96-41B3-9921-7DF946892CC5}
    2011-06-30 22:22:24 -------- d--h--w- C:\Users\Home\AppData\Local\{73CA2612-3F5D-4F8D-B326-40DD1889A60B}
    2011-06-30 10:21:50 -------- d--h--w- C:\Users\Home\AppData\Local\{44BF160C-7631-4AEC-B347-1C52EC3CB507}
    2011-06-29 11:30:52 -------- d--h--w- C:\Users\Home\AppData\Local\{C28B4AD8-E778-4B85-B82F-79149130F208}
    2011-06-29 10:41:13 344576 ----a-w- C:\Windows\System32\schannel.dll
    2011-06-29 10:41:13 276992 ----a-w- C:\Windows\SysWow64\schannel.dll
    2011-06-28 23:30:19 -------- d--h--w- C:\Users\Home\AppData\Local\{E3BB8A9B-0739-4C41-989A-C59CF98EA014}
    2011-06-28 11:29:56 -------- d--h--w- C:\Users\Home\AppData\Local\{EBB5EEB0-73DB-4EC7-90B9-C76B9BBADAE8}
    2011-06-27 13:58:34 -------- d--h--w- C:\Users\Home\AppData\Local\{DD0051F0-C3AF-45C8-A6F7-734024A3E981}
    2011-06-27 01:58:01 -------- d--h--w- C:\Users\Home\AppData\Local\{DA837612-D86D-4DC7-BC06-4674D17B3511}
    2011-06-26 13:57:40 -------- d--h--w- C:\Users\Home\AppData\Local\{E05F9C3D-2295-45A0-B55F-C7D40A675816}
    2011-06-26 01:56:55 -------- d--h--w- C:\Users\Home\AppData\Local\{82BC8054-D494-42DE-897B-F276DD9BA281}
    2011-06-25 09:36:08 -------- d--h--w- C:\Users\Home\AppData\Local\{836F84F6-002B-46C0-A421-8AC349798008}
    2011-06-24 12:25:43 -------- d--h--w- C:\Users\Home\AppData\Local\{228A106E-79E7-4F5F-9795-6C3D7EA59905}
    2011-06-24 04:13:44 488 ----a-w- C:\Program Files (x86)\0620110134431.bat
    2011-06-24 03:12:57 -------- d--h--w- C:\ProgramData\HideAndSecret3
    2011-06-23 23:49:59 -------- d--h--w- C:\Users\Home\AppData\Local\{1BE83009-93A7-420C-B897-353C5C287494}
    2011-06-23 11:49:23 -------- d--h--w- C:\Users\Home\AppData\Local\{833DB327-7632-40DA-9E8E-84EC92D3C411}
    2011-06-22 23:16:14 -------- d--h--w- C:\Users\Home\AppData\Local\{C9E01A42-78FA-4F31-8693-75D086113A7F}
    2011-06-22 11:15:40 -------- d--h--w- C:\Users\Home\AppData\Local\{4DD57AA0-8C4A-4791-ABAF-5212382531DB}
    2011-06-21 01:21:06 -------- d--h--w- C:\Users\Home\AppData\Local\{D57AF4D9-0A3C-4A9D-9948-BC52427B8ADB}
    2011-06-19 23:24:11 -------- d--h--w- C:\Users\Home\AppData\Local\{44ED6051-0208-4928-B20B-085C6AC47353}
    2011-06-17 11:23:41 -------- d--h--w- C:\Users\Home\AppData\Local\{73595AA1-3973-4320-BA77-696FB173622C}
    2011-06-16 23:23:08 -------- d--h--w- C:\Users\Home\AppData\Local\{C776648B-26F2-46C9-BE89-F806C81EEA31}
    2011-06-16 11:22:47 -------- d--h--w- C:\Users\Home\AppData\Local\{8EAEDA73-5566-4FB0-9ACE-47B87D47E730}
    2011-06-15 23:22:13 -------- d--h--w- C:\Users\Home\AppData\Local\{69F3D2A8-89B7-4EA7-92A1-FC9A9B03D902}
    2011-06-15 11:21:52 -------- d--h--w- C:\Users\Home\AppData\Local\{528E750D-1317-4E11-956C-44A63031F0CE}
    2011-06-14 23:21:19 -------- d--h--w- C:\Users\Home\AppData\Local\{46D66052-493B-4219-9E1F-72CB166B0F2B}
    2011-06-14 11:20:57 -------- d--h--w- C:\Users\Home\AppData\Local\{9D25142F-0634-4CF1-9B32-3A13F769CB7E}
    2011-06-13 22:10:13 -------- d--h--w- C:\Users\Home\AppData\Local\{F8EB9D0F-5D73-451E-BC32-09FC1C70E178}
    2011-06-13 10:09:40 -------- d--h--w- C:\Users\Home\AppData\Local\{629864CA-6494-43C3-B382-720FEA3751EA}
    2011-06-12 12:15:36 -------- d--h--w- C:\Users\Home\AppData\Local\{842F71B9-2643-4CBF-8C91-E36498652BAD}
    2011-06-12 00:14:55 -------- d--h--w- C:\Users\Home\AppData\Local\{DEBA98F5-EBEB-431C-B034-6196D17152A3}
    2011-06-11 11:47:00 -------- d--h--w- C:\Users\Home\AppData\Local\{372DE65F-A90C-4B30-B2C6-9492C6A44204}
    2011-06-10 23:46:27 -------- d--h--w- C:\Users\Home\AppData\Local\{503A00B8-57A5-4C31-846B-0FA93A501B90}
    2011-06-10 11:46:07 -------- d--h--w- C:\Users\Home\AppData\Local\{2D810B74-6E79-415B-B7C3-8EF2442C276D}
    2011-06-09 23:45:34 -------- d--h--w- C:\Users\Home\AppData\Local\{A023F04D-7852-4D18-B8FC-F627F9741873}
    .
    ==================== Find3M ====================
    .
    2011-05-29 13:11:30 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2011-05-29 13:11:20 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-05-28 06:28:00 1147904 ----a-w- C:\Windows\System32\wininet.dll
    2011-05-28 06:24:04 56832 ----a-w- C:\Windows\System32\licmgr10.dll
    2011-05-28 06:23:47 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl
    2011-05-28 06:23:30 132096 ----a-w- C:\Windows\System32\iesysprep.dll
    2011-05-28 06:23:29 77312 ----a-w- C:\Windows\System32\iesetup.dll
    2011-05-28 06:08:58 916480 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-05-28 06:04:30 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll
    2011-05-28 06:04:17 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2011-05-28 06:04:03 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll
    2011-05-28 06:04:03 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
    2011-05-28 05:33:37 479232 ----a-w- C:\Windows\System32\html.iec
    2011-05-28 05:10:26 385024 ----a-w- C:\Windows\SysWow64\html.iec
    2011-05-28 04:53:37 162816 ----a-w- C:\Windows\System32\ieUnatt.exe
    2011-05-28 04:52:18 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-05-28 04:33:03 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2011-05-28 04:31:44 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-05-24 23:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe
    2011-05-18 13:56:59 2762752 ----a-w- C:\Windows\System32\win32k.sys
    2011-05-02 17:16:14 739328 ----a-w- C:\Windows\SysWow64\inetcomm.dll
    2011-05-02 17:13:21 975360 ----a-w- C:\Windows\System32\inetcomm.dll
    2011-04-29 13:41:02 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys
    2011-04-29 13:40:56 145920 ----a-w- C:\Windows\System32\drivers\srvnet.sys
    2011-04-29 13:39:34 275456 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
    2011-04-29 13:39:34 135680 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
    2011-04-29 13:39:31 107008 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
    2011-04-21 14:20:24 405504 ----a-w- C:\Windows\System32\drivers\afd.sys
    2011-04-14 15:14:19 97792 ----a-w- C:\Windows\System32\drivers\dfsc.sys
    2010-11-25 12:18:25 467 ----a-w- C:\Program Files (x86)\1120107182510.bat
    2010-10-06 04:08:26 467 ----a-w- C:\Program Files (x86)\1020100082654.bat
    .
    ============= FINISH: 12:03:44.13 ===============
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    We can't get rid of it until we see what's on the system. But I'd like you to another scan with Malwarebytes.

    Please note>Update first and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan]option is selected and then click on the Scan button.

    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Pad before copying the log to paste in your next reply.
    =======================================
    Leave the new logs along with the 2 logs from DDS.

    Although the symptoms you report are typical for this malware, it is not showing in the Mbam Quick Scan.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay, we were posting at the same time. Go ahead and do the Full scan in Malwarebytes as instructed.

    When finished: Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =============================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =================================
    I can see some of the malware in the DDS logs. After you run Combofix, I'll write some script to remove some entries, then we'll try to 'unhide'.

    Edit: I'll be looking for the other log from DDS, named Attach.txt You may be posting that as I'm typing!
  5. tarynator

    tarynator Newcomer, in training Topic Starter

    Thanks Bobbye. I am running the full scan now. It might take a while, I did one last night and it took over an hour. I updated Malwarebytes and it found 3 infected objects right away. I'll get back to you asap. Thank you for the quick reply.
  6. tarynator

    tarynator Newcomer, in training Topic Starter

    Here is the Malwarebytes log from the full scan:


    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 7059

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19088

    09/07/2011 1:27:26 PM
    mbam-log-2011-07-09 (13-27-26).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 375506
    Time elapsed: 56 minute(s), 31 second(s)

    Memory Processes Infected: 2
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    c:\programdata\rgdeaivvgrljeja.exe (Trojan.FakeAlert) -> 3708 -> Failed to unload process.
    c:\programdata\42458872.exe (Trojan.Agent) -> 352 -> Failed to unload process.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rGDEAIvvgrLJejA (Trojan.FakeAlert) -> Value: rGDEAIvvgrLJejA -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\programdata\rgdeaivvgrljeja.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\Home\AppData\Local\microsoft\Windows\temporary internet files\virtualized\C\Users\Home\Desktop\0.30278755771502475.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\Home\AppData\Local\Temp\Low\jar_cache41391.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\programdata\42458872.exe (Trojan.Agent) -> Quarantined and deleted successfully.

    --------

    Here is the Attach log from DDS:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 28/11/2008 2:44:51 PM
    System Uptime: 09/07/2011 11:31:56 AM (1 hours ago)
    .
    Motherboard: TOSHIBA | | Satellite M300
    Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | U2E1 | 2000/166mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 225 GiB total, 125.544 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1342: 21/06/2011 9:10:38 PM - Scheduled Checkpoint
    RP1343: 21/06/2011 9:25:13 PM - Windows Update
    RP1344: 22/06/2011 8:57:16 AM - Windows Update
    RP1345: 22/06/2011 8:42:25 PM - Windows Update
    RP1346: 23/06/2011 10:04:19 AM - Scheduled Checkpoint
    RP1347: 23/06/2011 10:41:52 AM - Windows Update
    RP1348: 24/06/2011 1:15:42 AM - Windows Update
    RP1349: 24/06/2011 8:29:52 AM - Windows Update
    RP1350: 24/06/2011 10:46:20 AM - Windows Update
    RP1351: 24/06/2011 8:55:48 PM - Windows Update
    RP1352: 25/06/2011 3:40:57 PM - Scheduled Checkpoint
    RP1353: 25/06/2011 10:02:03 PM - Windows Update
    RP1354: 26/06/2011 7:25:00 AM - Scheduled Checkpoint
    RP1355: 26/06/2011 10:14:32 PM - Windows Update
    RP1356: 27/06/2011 6:59:52 PM - Windows Update
    RP1357: 28/06/2011 7:29:40 AM - Windows Update
    RP1358: 29/06/2011 6:32:36 AM - Windows Update
    RP1359: 29/06/2011 10:18:38 AM - Windows Update
    RP1360: 30/06/2011 6:17:01 AM - Windows Update
    RP1361: 30/06/2011 9:47:12 PM - Windows Update
    RP1362: 01/07/2011 1:05:22 AM - Windows Update
    RP1363: 01/07/2011 9:23:17 AM - Windows Update
    RP1364: 01/07/2011 8:54:33 PM - Windows Update
    RP1365: 02/07/2011 1:55:26 PM - Scheduled Checkpoint
    RP1366: 03/07/2011 8:16:52 AM - Windows Update
    RP1367: 04/07/2011 6:33:56 AM - Windows Update
    RP1368: 04/07/2011 10:00:22 PM - Windows Update
    RP1369: 05/07/2011 8:02:13 AM - Windows Update
    RP1370: 05/07/2011 8:08:18 AM - Windows Update
    RP1371: 06/07/2011 8:23:39 AM - Windows Update
    RP1372: 06/07/2011 10:18:18 PM - Windows Update
    RP1373: 06/07/2011 10:43:06 PM - Windows Update
    RP1374: 08/07/2011 8:04:14 AM - Windows Update
    RP1375: 08/07/2011 8:08:40 AM - Windows Update
    RP1376: 09/07/2011 12:34:57 AM - Removed Bing Bar
    RP1377: 09/07/2011 3:04:36 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8.1.0
    Advanced System Optimizer (Registered Version)
    Amazonia BONUS
    Apple Application Support
    Apple Software Update
    ArcSoft MediaImpression
    Business Contact Manager for Outlook 2007 SP2
    Camera Assistant Software for Toshiba
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    ccc-core-static
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Dutch
    CCC Help English
    CCC Help French
    CCC Help German
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Portuguese
    CCC Help Spanish
    CCC Help Swedish
    CD/DVD Drive Acoustic Silencer
    Conduit Engine
    D3DX10
    Definition update for Microsoft Office 2010 (KB982726)
    DVD MovieFactory for TOSHIBA
    Epson Event Manager
    EPSON Scan
    GamesBar 2.0.1.59
    GearDrvs
    HDMI Control Manager
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Java(TM) 6 Update 3
    Junk Mail filter update
    LiveUpdate 3.2 (Symantec Corporation)
    LiveUpdate Notice (Symantec Corporation)
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft Office 2003 Web Components
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Home and Student 2010
    Microsoft Office Live Add-in 1.3
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Single Image 2010
    Microsoft Office Small Business Connectivity Components
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
    Microsoft SQL Server Setup Support Files (English)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft XML Parser
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MyIdentityDefender Toolbar
    NetWaiting
    Norton 360
    OnlinePlay 1.0
    QuickTime
    SANYO User's Manual
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Excel 2010 (KB2523021)
    Security Update for Microsoft Office 2010 (KB2289078)
    Security Update for Microsoft Office 2010 (KB2289161)
    Security Update for Microsoft PowerPoint 2010 (KB2519975)
    Security Update for Microsoft Publisher 2010 (KB2409055)
    Security Update for Microsoft Word 2010 (KB2345000)
    Security Update for Windows Media Encoder (KB2447961)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Encoder (KB979332)
    Segoe UI
    Skins
    Spyware Doctor 8.0
    Toshiba Assist
    TOSHIBA ConfigFree
    TOSHIBA DVD PLAYER
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Face Recognition
    TOSHIBA Hardware Setup
    Toshiba Registration
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    TranslatorBar 3.2 Toolbar
    Ulead Photo Explorer 8.0 SE Basic
    Uninstall 1.0.0.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2010 (KB2202188)
    Update for Microsoft Office 2010 (KB2413186)
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2523113)
    Update for Microsoft OneNote 2010 (KB2493983)
    Update for Microsoft Outlook Social Connector (KB2441641)
    Visual C++ 8.0 Runtime Setup Package (x64)
    Visual Studio 2008 x64 Redistributables
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Media Encoder 9 Series
    .
    ==== Event Viewer Messages From Past Week ========
    .
    09/07/2011 3:06:46 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office PowerPoint 2007 (KB2535818).
    09/07/2011 3:06:46 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 for x64-based Systems (KB2518870).
    09/07/2011 3:06:31 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 for x64-based Systems (KB2478663).
    09/07/2011 2:25:00 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    09/07/2011 2:23:53 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: spldr Wanarpv6
    09/07/2011 2:23:53 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    09/07/2011 2:23:12 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    09/07/2011 2:23:11 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    09/07/2011 2:23:07 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    09/07/2011 2:23:00 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    09/07/2011 2:08:54 AM, Error: EventLog [6008] - The previous system shutdown at 2:07:44 AM on 09/07/2011 was unexpected.
    09/07/2011 2:05:10 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Font Cache Service service to connect.
    09/07/2011 2:05:10 AM, Error: Service Control Manager [7000] - The Windows Font Cache Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    09/07/2011 12:55:00 AM, Error: EventLog [6008] - The previous system shutdown at 12:53:07 AM on 09/07/2011 was unexpected.
    09/07/2011 11:39:19 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    09/07/2011 11:37:32 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    09/07/2011 11:36:24 AM, Error: Service Control Manager [7024] - The KtmRm for Distributed Transaction Coordinator service terminated with service-specific error 2147942438 (0x80070026).
    06/07/2011 8:25:21 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the iPod Service service to connect.
    06/07/2011 8:25:21 AM, Error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    06/07/2011 8:25:21 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    04/07/2011 6:03:04 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00215C40FC11 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================

    ----

    Just rebooting now, as soon as it starts up I will start with Combofix.
  7. tarynator

    tarynator Newcomer, in training Topic Starter

    I'm not seeing anymore pop-ups from the false security system, so far so good? My desktop icons have also reappeared.

    Combofix took a long time, but here is the log from it (finally!)


    ComboFix 11-07-09.02 - Home 09/07/2011 13:48:39.1.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3070.1749 [GMT -4:00]
    Running from: c:\users\Home\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\no
    c:\windows\system32\SV
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-09 to 2011-07-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-09 18:24 . 2011-07-09 18:24 -------- d-----w- c:\users\User\AppData\Local\temp
    2011-07-09 18:24 . 2011-07-09 18:24 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-07-09 18:24 . 2011-07-09 18:24 -------- d-----w- c:\users\Dave\AppData\Local\temp
    2011-07-09 17:33 . 2011-07-09 17:36 -------- d-----w- C:\32788R22FWJFW
    2011-07-09 14:21 . 2010-07-16 18:53 816016 ----a-w- c:\windows\system32\drivers\pctEFA64.sys
    2011-07-09 14:21 . 2010-06-29 14:35 452872 ----a-w- c:\windows\system32\drivers\pctDS64.sys
    2011-07-09 14:21 . 2011-01-17 13:09 334976 ----a-w- c:\windows\system32\drivers\pctgntdi64.sys
    2011-07-09 14:21 . 2010-12-16 12:43 137704 ----a-w- c:\windows\system32\drivers\pctwfpfilter64.sys
    2011-07-09 14:21 . 2010-12-10 17:24 257232 ----a-w- c:\windows\system32\drivers\PCTCore64.sys
    2011-07-09 14:21 . 2010-12-16 12:46 92896 ----a-w- c:\windows\system32\drivers\pctplsg64.sys
    2011-07-09 14:21 . 2011-07-09 14:36 -------- d-----w- c:\program files (x86)\PC Tools Security
    2011-07-09 14:21 . 2011-07-09 14:23 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
    2011-07-09 14:21 . 2011-07-09 14:21 -------- d--h--w- c:\users\Home\AppData\Roaming\PC Tools
    2011-07-09 14:20 . 2011-07-09 14:21 -------- d--h--w- c:\programdata\PC Tools
    2011-07-09 02:19 . 2011-07-09 02:19 -------- d-----w- c:\users\Dave\AppData\Local\Windows Live Writer
    2011-07-09 02:19 . 2011-07-09 02:19 -------- d-----w- c:\users\Dave\AppData\Roaming\Windows Live Writer
    2011-07-08 12:08 . 2011-06-07 17:10 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7D0545BA-98FB-48EB-A24F-07EDAC86D517}\mpengine.dll
    2011-06-29 10:41 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
    2011-06-29 10:41 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
    2011-06-24 04:13 . 2011-06-24 04:13 488 ----a-w- c:\program files (x86)\0620110134431.bat
    2011-06-24 03:12 . 2011-06-24 03:13 -------- d--h--w- c:\programdata\HideAndSecret3
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-29 13:11 . 2011-02-22 23:18 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-05-29 13:11 . 2011-02-22 23:18 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-24 23:14 . 2009-10-03 14:47 270720 ------w- c:\windows\system32\MpSigStub.exe
    2010-11-25 12:18 . 2010-11-25 12:18 467 ----a-w- c:\program files (x86)\1120107182510.bat
    2010-10-06 04:08 . 2010-10-06 04:08 467 ----a-w- c:\program files (x86)\1020100082654.bat
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2010-10-18 10:26 3908192 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngin.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{c55f5517-246e-4426-b745-ee25b08eb8b4}]
    2010-10-18 10:26 3908192 ----a-w- c:\program files (x86)\TranslatorBar_3.2\tbTra2.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{c55f5517-246e-4426-b745-ee25b08eb8b4}"= "c:\program files (x86)\TranslatorBar_3.2\tbTra2.dll" [2010-10-18 3908192]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngin.dll" [2010-10-18 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{c55f5517-246e-4426-b745-ee25b08eb8b4}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
    "SearchEngineProtection"="c:\program files (x86)\Gamesbar\SearchEngineProtection.exe" [2010-07-15 546200]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-26 413696]
    "Symantec PIF AlertEng"="c:\program files (x86)\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
    "ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
    "ISTray"="c:\program files (x86)\PC Tools Security\pctsGui.exe" [2011-01-13 1589208]
    .
    c:\users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Imgtask.exe [2008-6-11 7680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore64.sys [x]
    S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS64.sys [x]
    S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA64.sys [x]
    S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [x]
    S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
    S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 175104]
    S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]
    S3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART64.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 NETw4v64;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw4v64.sys [x]
    S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2mdx64.sys [x]
    S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sdx64.sys [x]
    S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [x]
    S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-09 c:\windows\Tasks\User_Feed_Synchronization-{5103FF29-BA9D-4EB4-A012-CAAECEC92ADD}.job
    - c:\windows\system32\msfeedssync.exe [2011-06-15 04:32]
    .
    2011-07-09 c:\windows\Tasks\User_Feed_Synchronization-{56B8329B-B7B4-447A-995E-387D32609970}.job
    - c:\windows\system32\msfeedssync.exe [2011-06-15 04:32]
    .
    2011-07-09 c:\windows\Tasks\User_Feed_Synchronization-{90734EE0-3620-48AC-B764-0A070ACC2C77}.job
    - c:\windows\system32\msfeedssync.exe [2011-06-15 04:32]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-29 1216808]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.ca/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    LSP: c:\program files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
    TCP: DhcpNameServer = 192.168.1.1
    DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    URLSearchHooks-~A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
    URLSearchHooks-~A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    URLSearchHooks-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - c:\users\Home\AppData\LocalLow\CyberDefender\cdmyidd.dll
    URLSearchHooks-~c55f5517-246e-4426-b745-ee25b08eb8b4} - (no file)
    BHO-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - c:\users\Home\AppData\LocalLow\CyberDefender\cdmyidd.dll
    Toolbar-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - c:\users\Home\AppData\LocalLow\CyberDefender\cdmyidd.dll
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{C55F5517-246E-4426-B745-EE25B08EB8B4} - (no file)
    WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
    HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
    HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
    HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
    HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
    HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
    HKLM-Run-HDMICtrlMan - c:\program files (x86)\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2025860295-3400647024-2239534585-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"
    .
    [HKEY_USERS\S-1-5-21-2025860295-3400647024-2239534585-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-07-09 14:50:34
    ComboFix-quarantined-files.txt 2011-07-09 18:50
    .
    Pre-Run: 134,656,499,712 bytes free
    Post-Run: 135,118,462,976 bytes free
    .
    - - End Of File - - 67C42004B711AB26DEB630772E485428
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    The updated Mbam scan found more of the FakeAlert entries and I am removing more in the script for you to run through Combofix.

    Allow me to say this in your best interest: This system is a mess! It appears that you may have indiscriminately allowed Toolbars and Browser Helper Objects on the system. They may have been bundled with other software, they may have been pre-checked on some download screens. Or you may have even installed programs and apps yourself without checking their safety record.
    =============================================
    Both the Adobe Reader and Java are way out of date. And the versions now on the system are vulnerabilities. Please update each now:
    Adobe Reader site Uninstall Adobe Reader 8.1.0 in Add/Remove Programs. (Current is v10(X)
    Java Updates Uninstall Java(TM) 6 Update 3 Add/Remove Programs. (Current is v6u26)
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    =====================================================
    I have written script that you will run through Combofix. The script includes removal of the following:
    1. MyIdentityDefender from CyberDefender: CD has a checkered past, It has been listed as a rogue program by SpywareWarrior. The have now taken it off of suspension. Please read the information here: Checkered history: http://spywarewarrior.com/de-listed.htm#cybdef_note
    2. Conduit Engine and associated Toolbars:
    3. TranslatorBar 3.2 Toolbar - a Conduit "Community Toolbar" - modifies the default IE URL search hook. Conduit toolbars are reputed to have a certain trackware functionality.
    4. GamesBar 2.0.1.59: resets browser Home and Search pages,
    Please read their Privacy Policy here:EULA:http://start.iplay.com/GamesBar/termsofuse.aspx
    5.And of course, the malware.

    I consideer all of the above to be a risk to the security and performance of the system.

    IF you do not want to run or remove any of this, tell me now and I will remove it before I give you the script
  9. tarynator

    tarynator Newcomer, in training Topic Starter

    Yes, I know its a mess. This is not my computer, it belongs to my mom and whoever happens to use it there (mind you, they are not very tech-savvy at all).

    Thanks for the help, up at the end my previous post everything seemed to be working fine.. did two more full scans, desktop returned and everything was back to normal (or it appeared to be). Restarted a few times, no problems. I had to leave them at that, though. I'm hoping no problems arise again.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Do you want the script I set up to remove the bad entries? Just because something worked now that didn't work before doesn't make the system much better11 Unless you get rid of the risks and malware, we have both wasted our time!
  11. tarynator

    tarynator Newcomer, in training Topic Starter

    Sure, I'll take the script and the next time I'm at their house I will try to fix it up. Sorry for taking your time, but they live 5 hours away so I'm not there too often. I had limited time.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You can review my reason for removing entries for the following in my Reply #8:
    Conduit Engin
    Translator Bar
    GamesBar
    MyIdentity Defender
    ===========================================
    It's also very important to update Java and the Adobe Reader and uninstall the old versions. Perhaps you could direct her to do that in an email or by phone.
    ==========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    C:\ProgramData\42458872.exe
    c:\programdata\rgdeaivvgrljeja.exe
    FileLook::
    c:\program files (x86)\0620110134431.bat
    c:\program files (x86)\1120107182510.bat
    c:\program files (x86)\1020100082654.bat
    Folder::
    DDS::
    uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    mURLSearchHooks: TranslatorBar 3.2 Toolbar: {c55f5517-246e-4426-b745-ee25b08eb8b4} - C:\Program Files (x86)\TranslatorBar_3.2\tbTra2.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngin.dll
    BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - C:\Users\Home\AppData\LocalLow\CyberDefender\cdmyidd.dll
    BHO: TranslatorBar 3.2 Toolbar: {c55f5517-246e-4426-b745-ee25b08eb8b4} - C:\Program Files (x86)\TranslatorBar_3.2\tbTra2.dll
    BHO: GamesBarBHO Class: {cb0d163c-e9f4-4236-9496-0597e24b23a5} - C:\Program Files (x86)\GamesBar\2.0.1.59\oberontb.dll
    TB: GamesBar: {6f282b65-56bf-4bd1-a8b2-a4449a05863d} - C:\Program Files (x86)\GamesBar\2.0.1.59\oberontb.dll
    TB: TranslatorBar 3.2 Toolbar: {c55f5517-246e-4426-b745-ee25b08eb8b4} - C:\Program Files (x86)\TranslatorBar_3.2\tbTra2.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngin.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [SearchEngineProtection] C:\Program Files (x86)\Gamesbar\SearchEngineProtection.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
    IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files (x86)\GamesBar\2.0.1.59\oberontb.dll
    BHO-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngin.dll
    BHO-X64: MyIdentityDefender: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Users\Home\AppData\LocalLow\CyberDefender\cdmyidd.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: TranslatorBar 3.2 Toolbar: {c55f5517-246e-4426-b745-ee25b08eb8b4} - C:\Program Files (x86)\TranslatorBar_3.2\tbTra2.dll
    BHO-X64: GamesBarBHO Class: {CB0D163C-E9F4-4236-9496-0597E24B23A5} - C:\Program Files (x86)\GamesBar\2.0.1.59\oberontb.dll
    TB-X64: MyIdentityDefender: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Users\Home\AppData\LocalLow\CyberDefender\cdmyidd.dll
    TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB-X64: GamesBar: {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files (x86)\GamesBar\2.0.1.59\oberontb.dll
    TB-X64: TranslatorBar 3.2 Toolbar: {c55f5517-246e-4426-b745-ee25b08eb8b4} - C:\Program Files (x86)\TranslatorBar_3.2\tbTra2.dll
    TB-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngin.dll
    TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB-X64: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    uRun: [rGDEAIvvgrLJejA] C:\ProgramData\rGDEAIvvgrLJejA.exe
    Registry::
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{c55f5517-246e-4426-b745-ee25b08eb8b4}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{c55f5517-246e-4426-b745-ee25b08eb8b4}"=-
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
    [HKEY_CLASSES_ROOT\clsid\{c55f5517-246e-4426-b745-ee25b08eb8b4}]
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SearchEngineProtection"=-
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.