Inactive Please help. some type of virus keeps redirecting me when Internet surfing

[jondjames]

good day all. im not them most tech savy person in the world but I have a little common sense. Lately my laptop has been acting strange. real slow and redirects when clicking on links. it is a toshiba l305d-s5934 running windows vista service pack 1(I cant download any upgrades im thinking due to the virus.) I have ran anti-malware software on it that returns no detectabale viruses. I dont know what else to do so im here asking for help. thanks in advance for any assistance.

 

[jondjames]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-08-07 11:29:01
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500BEVS-26UST0 rev.01.01A01
Running: pf250f2i[1].exe; Driver: C:\Users\angela\AppData\Local\Temp\kwliqpow.sys

---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----

 

[jondjames]

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19088
Run by angela at 11:44:12 on 2012-08-07
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2813.1521 [GMT -4:00]
.
AV: Trend Micro Internet Security *Disabled/Outdated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
SP: Trend Micro Internet Security *Disabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Medicomp\Server\medcinserv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Hawkes Learning Systems\Hawkes Update Service Manager\HawkesUpdater.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Program Files\HP\HP Photosmart 5510 series\Bin\ScanToPCActivationApp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\HP Photosmart 5510 series\Bin\HPNetworkCommunicator.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\System32\svchost.exe" -k LocalServiceDns
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = about:blank
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uSearch Bar =
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = <local>;*.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [iCloudServices] c:\program files\common files\apple\internet services\iCloudServices.exe
uRun: [ApplePhotoStreams] c:\program files\common files\apple\internet services\ApplePhotoStreams.exe
uRun: [HP Photosmart 5510 series (NET)] "c:\program files\hp\hp photosmart 5510 series\bin\ScanToPCActivationApp.exe" -deviceID "CN1AL09J9Z05NR:NW" -scfn "HP Photosmart 5510 series (NET)" -AutoStart 1
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\users\angela\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hawkes~1.lnk - c:\program files\hawkes learning systems\hawkes update service manager\HawkesUpdater.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{A9EFA1D5-D2C5-483F-B589-590650DE78BE} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\angela\appdata\roaming\mozilla\firefox\profiles\si4rnafn.default\
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_270.dll
.
============= SERVICES / DRIVERS ===============
.
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-11-28 20384]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-7-29 145424]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
R2 HawkesUpdater;Hawkes Unattended Updater;c:\program files\hawkes learning systems\hawkes update service manager\srvany.exe [2011-11-23 8192]
R2 medcinserv;Medcin;c:\program files\medicomp\server\medcinserv.exe [2010-12-16 536576]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-7-29 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-1-29 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-7-29 256528]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-5-5 7168]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
S2 gupdate1c9cb4b47f2ec10;Google Update Service (gupdate1c9cb4b47f2ec10);c:\program files\google\update\GoogleUpdate.exe [2009-5-2 133104]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-2-10 497008]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-2-10 677128]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-23 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-5-2 133104]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2008-11-28 954368]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-2-13 118256]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-5-16 9216]
.
=============== Created Last 30 ================
.
2012-07-27 12:55:34 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-25 00:12:23 -------- d-----w- c:\users\angela\appdata\local\Macromedia
2012-07-24 13:00:00 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{59d4fd3f-ce2d-4008-bcb7-9b8bacc8ca74}\mpengine.dll
2012-07-24 00:56:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-13 00:16:48 -------- d-----w- c:\users\angela\appdata\local\Apple Computer
2012-07-13 00:11:00 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-07-13 00:11:00 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-07-13 00:09:20 -------- d-----w- c:\program files\iPod
2012-07-13 00:09:16 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-07-13 00:09:16 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2012-08-03 21:52:13 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-31 16:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 11:44:52.50 ===============

 

[jondjames]

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 11/28/2008 4:14:11 PM
System Uptime: 8/7/2012 11:36:42 AM (0 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: AMD Turion(tm) X2 Dual-Core Mobile RM-70 | Socket M2/S1G1 | 2000/1800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 226 GiB total, 140.985 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Photosmart C4500 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Photosmart C4500 series
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart C4500 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C4500 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart C4500 series
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer: HP
Name: Photosmart C4500 series
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service:
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart 5510 series
Device ID: ROOT\MULTIFUNCTION\0002
Manufacturer: HP
Name: Photosmart 5510 series
PNP Device ID: ROOT\MULTIFUNCTION\0002
Service:
.
==== System Restore Points ===================
.
RP386: 6/5/2012 4:02:39 PM - Windows Update
RP387: 6/8/2012 5:24:43 PM - Windows Update
RP388: 6/10/2012 12:10:57 PM - Scheduled Checkpoint
RP389: 6/12/2012 10:27:29 AM - Scheduled Checkpoint
RP390: 6/13/2012 8:44:08 AM - Scheduled Checkpoint
RP391: 6/13/2012 8:51:41 PM - Windows Update
RP392: 6/15/2012 9:15:51 PM - Windows Update
RP393: 6/19/2012 3:00:19 AM - Windows Update
RP394: 6/19/2012 7:08:01 PM - Windows Update
RP395: 6/25/2012 8:48:12 PM - Windows Update
RP396: 6/26/2012 3:51:00 PM - Windows Update
RP397: 7/4/2012 11:00:37 AM - Windows Update
RP398: 7/8/2012 2:42:46 PM - Windows Update
RP399: 7/10/2012 9:26:12 PM - Windows Update
RP400: 7/11/2012 3:00:22 AM - Windows Update
RP401: 7/11/2012 9:07:53 PM - Scheduled Checkpoint
RP402: 7/12/2012 4:36:59 PM - Windows Update
RP403: 7/12/2012 8:05:59 PM - Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers
RP404: 7/12/2012 8:06:55 PM - Device Driver Package Install: Apple Network adapters
RP405: 7/12/2012 8:07:38 PM - Installed iTunes
RP406: 7/13/2012 4:31:24 PM - Windows Update
RP407: 7/16/2012 9:44:03 PM - Scheduled Checkpoint
RP408: 7/18/2012 10:27:57 AM - Windows Update
RP409: 7/19/2012 12:01:51 PM - Scheduled Checkpoint
RP410: 7/20/2012 9:42:37 PM - Windows Update
RP411: 7/21/2012 1:29:38 PM - Scheduled Checkpoint
RP412: 7/22/2012 1:27:18 PM - Scheduled Checkpoint
RP413: 7/24/2012 8:58:48 AM - Windows Update
RP414: 7/30/2012 1:36:39 PM - Scheduled Checkpoint
RP415: 8/7/2012 2:25:29 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
32 Bit HP CIO Components Installer
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
Atheros Wi-Fi Protected Setup Library
ATI Catalyst Install Manager
Aurora 16.0a2 (x86 en-US)
Bonjour
BufferChm
C4580
C4580_Help
Camera Assistant Software for Toshiba
Cards_Calendar_OrderGift_DoMorePlugout
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CD/DVD Drive Acoustic Silencer
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DivX Web Player
DocProc
DocProcQFolder
eSupportQFolder
GearDrvs
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService
GPBaseService2
Hawkes Update Service Manager
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Imaging Device Functions 11.0
HP Photosmart 5510 series Basic Device Software
HP Photosmart 5510 series Help
HP Photosmart C4500 All-In-One Driver Software 11.0 Rel .4
HP Photosmart Essential 2.5
HP Photosmart Essential 3.0
HP Solution Center 13.0
HP Update
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
iCloud
iTunes
Java(TM) 6 Update 6
Malwarebytes Anti-Malware version 1.62.0.1300
Medcin Server
Medcin Student Edition
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Maintenance Service
MSVCSetup
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network
OCR Software by I.R.I.S. 11.0
PanoStandAlone
Prealgebra (Fall 2011 Student)
PS_AIO_04_C4580_ProductContext
PS_AIO_04_C4580_Software
PS_AIO_04_C4580_Software_Min
PSSWCORE
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Skins
Skype™ 4.0
SolutionCenter
Spelling Dictionaries Support For Adobe Reader 9
Status
Synaptics Pointing Device Driver
Toolbox
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TrayApp
Trend Micro Internet Security
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.762
VideoToolkit01
WebReg
WildTangent Games
.
==== End Of File ===========================

 

[jondjames]

here is the latest log from malwarebytes

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.30.06
Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
angela :: ANGELA-PC [administrator]
8/7/2012 1:14:04 PM
mbam-log-2012-08-07 (15-20-16).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 356666
Time elapsed: 2 hour(s), 5 minute(s), 53 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) -> No action taken.
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\00000004.@ (Rootkit.Zaccess) -> No action taken.
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.
(end)

I went ahead and removed the threats and restarted the laptop for the changes to take place. any help is greatly appreciated.

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button.
• type exit and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

 

[jondjames]

hello dragonmasterjay,
thanks for your help in this issue. people like you are pretty awesome. my name is jon, 27 year old married father of 1. I like surfing the net but lately its been difficult. Ive tried to follow your steps listed above, but so far im having trouble getting the frst.exe program to run when in system recovery mode. it keeps telling me that the device is not ready in the command prompt screen. not sure what to do.,

 

[jondjames]

firgured it out. sorry. here is the log
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 05-08-2012 01
Ran by SYSTEM at 07-08-2012 17:46:13
Running from F:\
Windows Vista (TM) Home Premium Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [61440 2008-01-21] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [431456 2008-02-06] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [54608 2007-10-31] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [448080 2007-06-15] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [716800 2008-03-19] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1029416 2007-12-06] (Synaptics, Inc.)
HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [81920 2008-06-01] (Hewlett-Packard)
HKLM\...\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [995528 2009-10-20] (Trend Micro Inc.)
HKLM\...\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [973488 2012-07-03] (Malwarebytes Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-10-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [935288 2009-09-04] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKU\angela\...\Run: [TOSCDSPD] TOSCDSPD.EXE [x]
HKU\angela\...\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [497008 2008-07-29] (Trend Micro Inc.)
HKU\angela\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [23975720 2009-01-29] (Skype Technologies S.A.)
HKU\angela\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-03-30] (Google Inc.)
HKU\angela\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\angela\...\Run: [iCloudServices] C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59240 2011-10-05] (Apple Inc.)
HKU\angela\...\Run: [ApplePhotoStreams] C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59240 2011-09-29] (Apple Inc.)
HKU\angela\...\Run: [HP Photosmart 5510 series (NET)] "C:\Program Files\HP\HP Photosmart 5510 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN1AL09J9Z05NR:NW" -scfn "HP Photosmart 5510 series (NET)" -AutoStart 1 [1804648 2011-09-16] (Hewlett-Packard Co.)
HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2008-04-24] (TOSHIBA)
HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2008-04-24] (TOSHIBA)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Hawkes Update Notifier.lnk
ShortcutTarget: Hawkes Update Notifier.lnk -> C:\Program Files\Hawkes Learning Systems\Hawkes Update Service Manager\HawkesUpdater.exe (Hawkes Learning Systems )
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\angela\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
================================ Services (Whitelisted) ==================
2 ConfigFree Service; "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" [40960 2008-04-16] (TOSHIBA CORPORATION)
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
3 GameConsoleService; "C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe" [250616 2009-06-05] (WildTangent, Inc.)
2 gupdate1c9cb4b47f2ec10; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2009-05-02] (Google Inc.)
2 HawkesUpdater; "C:\Program Files\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe" [8192 2003-04-18] ()
3 jswpsapi; C:\Program Files\Jumpstart\jswpsapi.exe [954368 2008-04-16] (Atheros Communications, Inc.)
2 medcinserv; "C:\Program Files\Medicomp\Server\medcinserv.exe" [536576 2010-12-16] (Medicomp Systems, Inc.)
2 SfCtlCom; "C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe" [711248 2009-10-20] (Trend Micro Inc.)
3 SmartFaceVWatchSrv; "C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe" [73728 2008-04-24] (Toshiba)
2 TMBMServer; "C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service [341256 2009-03-03] (Trend Micro Inc.)
2 TmPfw; "C:\Program Files\Trend Micro\Internet Security\TmPfw.exe" [497008 2009-09-03] (Trend Micro Inc.)
2 TmProxy; "C:\Program Files\Trend Micro\Internet Security\TmProxy.exe" [677128 2009-09-03] (Trend Micro Inc.)
2 TosCoSrv; "C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe" [431456 2008-02-06] (TOSHIBA Corporation)
2 TOSHIBA SMART Log Service; "C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe" [126976 2007-12-03] (TOSHIBA Corporation)
========================== Drivers (Whitelisted) =============
3 SVRPEDRV; \??\C:\Windows\System32\sysprep\PEDrv.sys [9216 2008-01-18] (Inventec Corporation)
2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [50192 2009-04-02] (Trend Micro Inc.)
2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [153104 2009-04-02] (Trend Micro Inc.)
2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [50192 2009-04-02] (Trend Micro Inc.)
1 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [145424 2009-03-03] (Trend Micro Inc.)
2 tmpreflt; C:\Windows\System32\DRIVERS\tmpreflt.sys [36368 2009-05-22] (Trend Micro Inc.)
1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [80400 2009-03-03] (Trend Micro Inc.)
2 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [256528 2009-03-03] (Trend Micro Inc.)
2 tmxpflt; C:\Windows\System32\DRIVERS\tmxpflt.sys [225296 2009-05-22] (Trend Micro Inc.)
3 UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [18432 2007-12-17] (Chicony Electronics Co., Ltd.)
2 vsapint; C:\Windows\System32\DRIVERS\vsapint.sys [1220120 2009-05-21] (Trend Micro Inc.)
3 IO_Memory; \??\C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-08-07 17:45 - 2012-08-07 17:45 - 00000000 ____D C:\FRST
2012-08-07 13:38 - 2012-08-07 13:31 - 00892958 ____A (Farbar) C:\Users\angela\Desktop\FRST.exe
2012-08-07 07:37 - 2012-08-07 07:37 - 00138848 ____A C:\Windows\Minidump\Mini080712-01.dmp
2012-08-07 07:29 - 2012-08-07 07:29 - 00000805 ____A C:\Users\angela\Desktop\gmer.log
2012-07-27 04:55 - 2012-07-27 04:55 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-24 16:12 - 2012-07-24 16:12 - 00000000 ____D C:\Users\angela\AppData\Local\Macromedia
2012-07-23 16:56 - 2012-08-07 10:52 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-23 16:56 - 2012-08-03 13:52 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-21 11:38 - 2012-07-21 11:38 - 00000000 ____D C:\Users\angela\Desktop\101KC310
2012-07-12 16:16 - 2012-07-12 16:22 - 00000000 ____D C:\Users\angela\AppData\Local\Apple Computer
2012-07-12 16:16 - 2012-07-12 16:16 - 00001675 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-07-12 16:11 - 2009-05-18 09:17 - 00026600 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-07-12 16:11 - 2008-04-17 08:12 - 00107368 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi.dll
2012-07-12 16:09 - 2012-07-12 16:10 - 00000000 ____D C:\Users\All Users\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-07-12 16:09 - 2012-07-12 16:10 - 00000000 ____D C:\Program Files\iTunes
2012-07-12 16:09 - 2012-07-12 16:09 - 00000000 ____D C:\Program Files\iPod
============ 3 Months Modified Files ========================
2012-08-07 13:41 - 2009-02-10 18:56 - 09985961 ____A C:\Windows\TmComm.log
2012-08-07 13:41 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-07 13:41 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-07 13:41 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-07 13:40 - 2006-11-02 05:01 - 00032622 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-07 13:40 - 2006-11-02 02:33 - 00004710 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-07 13:37 - 2009-07-03 19:48 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-07 13:31 - 2012-08-07 13:38 - 00892958 ____A (Farbar) C:\Users\angela\Desktop\FRST.exe
2012-08-07 11:23 - 2008-01-20 18:47 - 00095342 ____A C:\Windows\PFRO.log
2012-08-07 11:00 - 2009-07-03 19:48 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-07 10:52 - 2012-07-23 16:56 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-07 07:37 - 2012-08-07 07:37 - 00138848 ____A C:\Windows\Minidump\Mini080712-01.dmp
2012-08-07 07:37 - 2009-03-03 13:36 - 248056596 ____A C:\Windows\MEMORY.DMP
2012-08-07 07:29 - 2012-08-07 07:29 - 00000805 ____A C:\Users\angela\Desktop\gmer.log
2012-08-06 21:15 - 2008-11-28 13:13 - 01218803 ____A C:\Windows\WindowsUpdate.log
2012-08-06 19:36 - 2011-10-13 11:19 - 00004104 ____A C:\Windows\IE9_main.log
2012-08-03 13:52 - 2012-07-23 16:56 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-03 13:52 - 2012-02-13 12:50 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-01 12:03 - 2009-05-02 09:28 - 00001982 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-07-24 04:54 - 2009-02-02 10:20 - 00001356 ____A C:\Users\angela\AppData\Local\d3d9caps.dat
2012-07-21 07:27 - 2012-01-10 17:35 - 00000917 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-12 16:16 - 2012-07-12 16:16 - 00001675 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-07-10 23:01 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-03 09:46 - 2010-04-29 17:29 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-05-31 08:25 - 2010-03-29 15:06 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

ZeroAccess:
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\@
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\L
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\L\00000004.@
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\L\201d3dde
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\00000004.@
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\00000008.@
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\000000cb.@
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\80000000.@
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\80000032.@
ZeroAccess:
C:\Users\angela\AppData\Local\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}
C:\Users\angela\AppData\Local\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\@
C:\Users\angela\AppData\Local\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\L
C:\Users\angela\AppData\Local\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U
ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 5DC3C54FC22BBB6F66C290C7C0384DF9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 13%
Total physical RAM: 2813.1 MB
Available physical RAM: 2428.11 MB
Total Pagefile: 2612.97 MB
Available Pagefile: 2476.21 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.31 MB
======================= Partitions =========================
1 Drive c: (SQ004720V05) (Fixed) (Total:225.52 GB) (Free:140.75 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS
4 Drive f: () (Removable) (Total:3.76 GB) (Free:3.39 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B
Disk 1 Online 3856 MB 0 B
Disk 2 No Media 0 B 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 226 GB 1501 MB
Partition 3 Primary 6040 MB 227 GB
==================================================================================
Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SQ004720V05 NTFS Partition 226 GB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No
There is no volume associated with this partition.
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3856 MB 32 KB
==================================================================================
Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F FAT32 Removable 3856 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-08-07 13:32
======================= End Of Log ==========================

 

[Jay Pfoutz]

Hi Jon! Good work there...we'll get this cleaned up ASAP!

Additional FRST Scan

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)

When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply.

 

[jondjames]

hey dmj, thanks for your help so far. here is a log from the services.exe search.

Farbar Recovery Scan Tool Version: 05-08-2012 01
Ran by SYSTEM at 2012-08-08 09:04:10
Running from G:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:24] - [2008-01-20 18:24] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\System32\services.exe
[2008-01-20 18:24] - [2008-01-20 18:24] - 0279040 ____A (Microsoft Corporation) 5DC3C54FC22BBB6F66C290C7C0384DF9
C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-09-17 14:54] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
=== End Of Search ===

 

[Jay Pfoutz]

FRST Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}
C:\Users\angela\AppData\Local\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}
C:\Windows\assembly\GAC\Desktop.ini
Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

 

[jondjames]

hey dragonmasterjay,
here is a copy of the fixlog that you requested.
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 01
Ran by SYSTEM at 2012-08-09 09:17:42 Run:1
Running from F:\
==============================================
C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049} moved successfully.
C:\Users\angela\AppData\Local\{ebc961a9-e28e-4bf8-60ea-4fd39f364049} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====

 

[Jay Pfoutz]

Okay good. Back to Normal Mode in Windows...

Scan for malware

Please download Malwarebytes Anti-Malware from HERE.


Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Copy and paste the entire report in your next reply.

 

[jondjames]

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.10.01
Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
angela :: ANGELA-PC [administrator]
8/9/2012 10:56:08 PM
mbam-log-2012-08-09 (22-56-08).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 361566
Time elapsed: 1 hour(s), 50 minute(s), 47 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 6
C:\FRST\Quarantine\Desktop.ini (Trojan.0access) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\00000004.@ (Rootkit.Zaccess) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\80000000.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
(end)

 

[jondjames]

not sure if that was suppose to fix everything or not, but for some reason im still unable to check for windows updates, it says the service is not running when I try to. that isnt normal is it?

 

[Jay Pfoutz]

It's okay. We will solve that issue soon.

• Download RogueKiller and save it on your desktop.
• Quit all programs
• Start RogueKiller.exe.
• Wait until Prescan has finished ...
• Click on Scan

• Wait for the end of the scan.
• The report has been created on the desktop.
• Click on the Delete button.

• The report has been created on the desktop.

• Next click on the ShortcutsFix
  
  
  
• The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.

 

[jondjames]

RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com
Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User: angela [Admin rights]
Mode: Scan -- Date: 08/10/2012 09:18:01
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 3 ¤¤¤
[HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[64] : NtCreateKey @ 0x81FFDFA5 -> HOOKED (Unknown @ 0x88397000)
SSDT[72] : NtCreateProcess @ 0x820AA72B -> HOOKED (Unknown @ 0x88396240)
SSDT[73] : NtCreateProcessEx @ 0x820AA776 -> HOOKED (Unknown @ 0x88396500)
SSDT[78] : NtCreateThread @ 0x820AA560 -> HOOKED (Unknown @ 0x88397E60)
SSDT[123] : NtDeleteKey @ 0x81FCB83C -> HOOKED (Unknown @ 0x88397580)
SSDT[126] : NtDeleteValueKey @ 0x81FC621F -> HOOKED (Unknown @ 0x88397840)
SSDT[165] : NtLoadDriver @ 0x81F85AD0 -> HOOKED (Unknown @ 0x883981A0)
SSDT[194] : NtOpenProcess @ 0x82027EF2 -> HOOKED (Unknown @ 0x88396A80)
SSDT[324] : NtSetValueKey @ 0x81FFEDD1 -> HOOKED (Unknown @ 0x883972C0)
SSDT[334] : NtTerminateProcess @ 0x81FF92F0 -> HOOKED (Unknown @ 0x88396D40)
SSDT[358] : NtWriteVirtualMemory @ 0x82024033 -> HOOKED (Unknown @ 0x88397CC0)
SSDT[382] : NtCreateThreadEx @ 0x82017F82 -> HOOKED (Unknown @ 0x88398000)
SSDT[383] : NtCreateUserProcess @ 0x81FDEE26 -> HOOKED (Unknown @ 0x883967C0)
S_SSDT[572] : Unknown -> HOOKED (Unknown @ 0x88398800)
S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x88398620)
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD2500BEVS-26UST0 ATA Device +++++
--- User ---
[MBR] 90491ffc9df81997944036447b4caea5
[BSP] 184e9a2b552b3be8ff90bd294c2c3797 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 230934 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 476026880 | Size: 6040 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt

 

[jondjames]

RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com
Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User: angela [Admin rights]
Mode: Remove -- Date: 08/10/2012 09:19:35
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 3 ¤¤¤
[HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[64] : NtCreateKey @ 0x81FFDFA5 -> HOOKED (Unknown @ 0x88397000)
SSDT[72] : NtCreateProcess @ 0x820AA72B -> HOOKED (Unknown @ 0x88396240)
SSDT[73] : NtCreateProcessEx @ 0x820AA776 -> HOOKED (Unknown @ 0x88396500)
SSDT[78] : NtCreateThread @ 0x820AA560 -> HOOKED (Unknown @ 0x88397E60)
SSDT[123] : NtDeleteKey @ 0x81FCB83C -> HOOKED (Unknown @ 0x88397580)
SSDT[126] : NtDeleteValueKey @ 0x81FC621F -> HOOKED (Unknown @ 0x88397840)
SSDT[165] : NtLoadDriver @ 0x81F85AD0 -> HOOKED (Unknown @ 0x883981A0)
SSDT[194] : NtOpenProcess @ 0x82027EF2 -> HOOKED (Unknown @ 0x88396A80)
SSDT[324] : NtSetValueKey @ 0x81FFEDD1 -> HOOKED (Unknown @ 0x883972C0)
SSDT[334] : NtTerminateProcess @ 0x81FF92F0 -> HOOKED (Unknown @ 0x88396D40)
SSDT[358] : NtWriteVirtualMemory @ 0x82024033 -> HOOKED (Unknown @ 0x88397CC0)
SSDT[382] : NtCreateThreadEx @ 0x82017F82 -> HOOKED (Unknown @ 0x88398000)
SSDT[383] : NtCreateUserProcess @ 0x81FDEE26 -> HOOKED (Unknown @ 0x883967C0)
S_SSDT[572] : Unknown -> HOOKED (Unknown @ 0x88398800)
S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x88398620)
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD2500BEVS-26UST0 ATA Device +++++
--- User ---
[MBR] 90491ffc9df81997944036447b4caea5
[BSP] 184e9a2b552b3be8ff90bd294c2c3797 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 230934 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 476026880 | Size: 6040 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

 

[jondjames]

Time : 10/08/2012 09:18:01
--------------------------

Time : 10/08/2012 09:19:35
--------------------------

Time : 10/08/2012 09:20:46
--------------------------

 

[jondjames]

not sure about that last one, but it was the text file that was in folder- rk_quarantine after the initial scan

 

[Jay Pfoutz]

ComboFix

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

 

[jondjames]

ComboFix 12-08-10.01 - angela 08/11/2012 12:47:36.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2813.1520 [GMT -4:00]
Running from: c:\users\angela\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *Disabled/Outdated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
SP: Trend Micro Internet Security *Disabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\angela\AppData\Roaming\alggui.exe
c:\users\angela\AppData\Roaming\scdata
c:\users\angela\AppData\Roaming\scdata\images\i1.gif
c:\users\angela\AppData\Roaming\scdata\images\i2.gif
c:\users\angela\AppData\Roaming\scdata\images\i3.gif
c:\users\angela\AppData\Roaming\scdata\images\j1.gif
c:\users\angela\AppData\Roaming\scdata\images\j2.gif
c:\users\angela\AppData\Roaming\scdata\images\j3.gif
c:\users\angela\AppData\Roaming\scdata\images\jj1.gif
c:\users\angela\AppData\Roaming\scdata\images\jj2.gif
c:\users\angela\AppData\Roaming\scdata\images\jj3.gif
c:\users\angela\AppData\Roaming\scdata\images\l1.gif
c:\users\angela\AppData\Roaming\scdata\images\l2.gif
c:\users\angela\AppData\Roaming\scdata\images\l3.gif
c:\users\angela\AppData\Roaming\scdata\images\pix.gif
c:\users\angela\AppData\Roaming\scdata\images\t1.gif
c:\users\angela\AppData\Roaming\scdata\images\t2.gif
c:\users\angela\AppData\Roaming\scdata\images\Thumbs.db
c:\users\angela\AppData\Roaming\scdata\images\up1.gif
c:\users\angela\AppData\Roaming\scdata\images\up2.gif
c:\users\angela\AppData\Roaming\scdata\images\w1.gif
c:\users\angela\AppData\Roaming\scdata\images\w11.gif
c:\users\angela\AppData\Roaming\scdata\images\w2.gif
c:\users\angela\AppData\Roaming\scdata\images\w3.jpg
c:\users\angela\AppData\Roaming\scdata\images\word.doc
c:\users\angela\AppData\Roaming\scdata\images\wt1.gif
c:\users\angela\AppData\Roaming\scdata\images\wt2.gif
c:\users\angela\AppData\Roaming\scdata\images\wt3.gif
c:\users\angela\AppData\Roaming\scdata\wispex.html
c:\users\angela\AppData\Roaming\skynet.dat
c:\users\angela\AppData\Roaming\wp3.dat
c:\users\angela\AppData\Roaming\wp4.dat
c:\users\angela\Documents\~WRL0866.tmp
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\pt
c:\windows\system32\pt\smartfacevcp.dll.mui
c:\windows\system32\pt\toscdspd.cpl.mui
c:\windows\system32\service
c:\windows\system32\service\10042010_TIS17_SfFniAU.log
c:\windows\system32\service\16012012_TIS17_SfFniAU.log
c:\windows\system32\service\17022009_TIS17_SfFniAU.log
c:\windows\system32\service\20062011_TIS17_SfFniAU.log
c:\windows\TEMP\mia45\mEXEFunc.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-07-11 to 2012-08-11 )))))))))))))))))))))))))))))))
.
.
2012-08-11 17:00 . 2012-08-11 17:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-08 01:45 . 2012-08-08 01:45 -------- d-----w- C:\FRST
2012-07-27 12:55 . 2012-07-27 12:55 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-25 00:12 . 2012-07-25 00:12 -------- d-----w- c:\users\angela\AppData\Local\Macromedia
2012-07-24 13:00 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{59D4FD3F-CE2D-4008-BCB7-9B8BACC8CA74}\mpengine.dll
2012-07-24 00:56 . 2012-08-03 21:52 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-13 00:16 . 2012-07-13 00:22 -------- d-----w- c:\users\angela\AppData\Local\Apple Computer
2012-07-13 00:11 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-07-13 00:11 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-07-13 00:09 . 2012-07-13 00:09 -------- d-----w- c:\program files\iPod
2012-07-13 00:09 . 2012-07-13 00:10 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-07-13 00:09 . 2012-07-13 00:10 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-03 21:52 . 2012-02-13 20:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 17:46 . 2010-04-30 01:29 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-31 16:25 . 2010-03-29 23:06 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-30 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2011-10-06 59240]
"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2011-09-29 59240]
"HP Photosmart 5510 series (NET)"="c:\program files\HP\HP Photosmart 5510 series\Bin\ScanToPCActivationApp.exe" [2011-09-16 1804648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 81920]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-07-03 973488]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
c:\users\angela\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Hawkes Update Notifier.lnk - c:\program files\Hawkes Learning Systems\Hawkes Update Service Manager\HawkesUpdater.exe [2011-11-23 3140288]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-26 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2008-04-29 18:33 417792 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-04-08 23:14 6037504 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-12-07 02:12 1029416 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-24 21:52]
.
2012-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-02 17:27]
.
2012-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-02 17:27]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\angela\AppData\Roaming\Mozilla\Firefox\Profiles\si4rnafn.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
MSConfigStartUp-cfFncEnabler - cfFncEnabler.exe
MSConfigStartUp-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe
MSConfigStartUp-NDSTray - NDSTray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-11 13:07
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\WLANExt.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe
c:\program files\Medicomp\Server\medcinserv.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\HP Photosmart 5510 series\Bin\HPNetworkCommunicator.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-08-11 13:11:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-11 17:11
.
Pre-Run: 151,130,435,584 bytes free
Post-Run: 152,286,380,032 bytes free
.
- - End Of File - - 74A93BD2C0D7310A1D209DBD90CD72B5

 

[jondjames]

things are looking pretty good over here

 

[Jay Pfoutz]

Scan with Malwarebytes' Anti-Malware

Please open Malwarebytes' Anti-Malware, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

 

[jondjames]

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.12.06
Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
angela :: ANGELA-PC [administrator]
8/12/2012 8:22:30 PM
mbam-log-2012-08-12 (20-22-30).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 351918
Time elapsed: 1 hour(s), 54 minute(s), 59 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)