TechSpot

Please help. some type of virus keeps redirecting me when Internet surfing

Inactive
By jondjames
Aug 7, 2012
  1. good day all. im not them most tech savy person in the world but I have a little common sense. Lately my laptop has been acting strange. real slow and redirects when clicking on links. it is a toshiba l305d-s5934 running windows vista service pack 1(I cant download any upgrades im thinking due to the virus.) I have ran anti-malware software on it that returns no detectabale viruses. I dont know what else to do so im here asking for help. thanks in advance for any assistance.
  2. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-08-07 11:29:01
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500BEVS-26UST0 rev.01.01A01
    Running: pf250f2i[1].exe; Driver: C:\Users\angela\AppData\Local\Temp\kwliqpow.sys

    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    ---- EOF - GMER 1.0.15 ----
  3. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.19088
    Run by angela at 11:44:12 on 2012-08-07
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2813.1521 [GMT -4:00]
    .
    AV: Trend Micro Internet Security *Disabled/Outdated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
    SP: Trend Micro Internet Security *Disabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Medicomp\Server\medcinserv.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Hawkes Learning Systems\Hawkes Update Service Manager\HawkesUpdater.exe
    C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
    C:\Windows\system32\svchost.exe -k HPService
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
    C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
    C:\Program Files\HP\HP Photosmart 5510 series\Bin\ScanToPCActivationApp.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HP\HP Photosmart 5510 series\Bin\HPNetworkCommunicator.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\SearchFilterHost.exe
    "C:\Windows\System32\svchost.exe" -k LocalServiceDns
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page =
    uStart Page = about:blank
    uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
    uSearch Bar =
    mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
    uInternet Settings,ProxyOverride = <local>;*.local
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [TOSCDSPD] TOSCDSPD.EXE
    uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [iCloudServices] c:\program files\common files\apple\internet services\iCloudServices.exe
    uRun: [ApplePhotoStreams] c:\program files\common files\apple\internet services\ApplePhotoStreams.exe
    uRun: [HP Photosmart 5510 series (NET)] "c:\program files\hp\hp photosmart 5510 series\bin\ScanToPCActivationApp.exe" -deviceID "CN1AL09J9Z05NR:NW" -scfn "HP Photosmart 5510 series (NET)" -AutoStart 1
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
    mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
    StartupFolder: c:\users\angela\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hawkes~1.lnk - c:\program files\hawkes learning systems\hawkes update service manager\HawkesUpdater.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{A9EFA1D5-D2C5-483F-B589-590650DE78BE} : DhcpNameServer = 209.18.47.61 209.18.47.62
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\angela\appdata\roaming\mozilla\firefox\profiles\si4rnafn.default\
    FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_270.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-11-28 20384]
    R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-7-29 145424]
    R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
    R2 HawkesUpdater;Hawkes Unattended Updater;c:\program files\hawkes learning systems\hawkes update service manager\srvany.exe [2011-11-23 8192]
    R2 medcinserv;Medcin;c:\program files\medicomp\server\medcinserv.exe [2010-12-16 536576]
    R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-7-29 50192]
    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-1-29 36368]
    R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-7-29 256528]
    R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-5-5 7168]
    R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
    S2 gupdate1c9cb4b47f2ec10;Google Update Service (gupdate1c9cb4b47f2ec10);c:\program files\google\update\GoogleUpdate.exe [2009-5-2 133104]
    S2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-2-10 497008]
    S2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-2-10 677128]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-23 250056]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-5-2 133104]
    S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2008-11-28 954368]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-2-13 118256]
    S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-5-16 9216]
    .
    =============== Created Last 30 ================
    .
    2012-07-27 12:55:34 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-25 00:12:23 -------- d-----w- c:\users\angela\appdata\local\Macromedia
    2012-07-24 13:00:00 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{59d4fd3f-ce2d-4008-bcb7-9b8bacc8ca74}\mpengine.dll
    2012-07-24 00:56:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-13 00:16:48 -------- d-----w- c:\users\angela\appdata\local\Apple Computer
    2012-07-13 00:11:00 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-07-13 00:11:00 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2012-07-13 00:09:20 -------- d-----w- c:\program files\iPod
    2012-07-13 00:09:16 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2012-07-13 00:09:16 -------- d-----w- c:\program files\iTunes
    .
    ==================== Find3M ====================
    .
    2012-08-03 21:52:13 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-05-31 16:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
    .
    ============= FINISH: 11:44:52.50 ===============
  4. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 11/28/2008 4:14:11 PM
    System Uptime: 8/7/2012 11:36:42 AM (0 hours ago)
    .
    Motherboard: TOSHIBA | | Portable PC
    Processor: AMD Turion(tm) X2 Dual-Core Mobile RM-70 | Socket M2/S1G1 | 2000/1800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 226 GiB total, 140.985 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
    Description: Photosmart C4500 series
    Device ID: ROOT\IMAGE\0000
    Manufacturer: HP
    Name: Photosmart C4500 series
    PNP Device ID: ROOT\IMAGE\0000
    Service: StillCam
    .
    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Photosmart C4500 series
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer: HP
    Name: Photosmart C4500 series
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:
    .
    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Photosmart C4500 series
    Device ID: ROOT\MULTIFUNCTION\0001
    Manufacturer: HP
    Name: Photosmart C4500 series
    PNP Device ID: ROOT\MULTIFUNCTION\0001
    Service:
    .
    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Photosmart 5510 series
    Device ID: ROOT\MULTIFUNCTION\0002
    Manufacturer: HP
    Name: Photosmart 5510 series
    PNP Device ID: ROOT\MULTIFUNCTION\0002
    Service:
    .
    ==== System Restore Points ===================
    .
    RP386: 6/5/2012 4:02:39 PM - Windows Update
    RP387: 6/8/2012 5:24:43 PM - Windows Update
    RP388: 6/10/2012 12:10:57 PM - Scheduled Checkpoint
    RP389: 6/12/2012 10:27:29 AM - Scheduled Checkpoint
    RP390: 6/13/2012 8:44:08 AM - Scheduled Checkpoint
    RP391: 6/13/2012 8:51:41 PM - Windows Update
    RP392: 6/15/2012 9:15:51 PM - Windows Update
    RP393: 6/19/2012 3:00:19 AM - Windows Update
    RP394: 6/19/2012 7:08:01 PM - Windows Update
    RP395: 6/25/2012 8:48:12 PM - Windows Update
    RP396: 6/26/2012 3:51:00 PM - Windows Update
    RP397: 7/4/2012 11:00:37 AM - Windows Update
    RP398: 7/8/2012 2:42:46 PM - Windows Update
    RP399: 7/10/2012 9:26:12 PM - Windows Update
    RP400: 7/11/2012 3:00:22 AM - Windows Update
    RP401: 7/11/2012 9:07:53 PM - Scheduled Checkpoint
    RP402: 7/12/2012 4:36:59 PM - Windows Update
    RP403: 7/12/2012 8:05:59 PM - Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers
    RP404: 7/12/2012 8:06:55 PM - Device Driver Package Install: Apple Network adapters
    RP405: 7/12/2012 8:07:38 PM - Installed iTunes
    RP406: 7/13/2012 4:31:24 PM - Windows Update
    RP407: 7/16/2012 9:44:03 PM - Scheduled Checkpoint
    RP408: 7/18/2012 10:27:57 AM - Windows Update
    RP409: 7/19/2012 12:01:51 PM - Scheduled Checkpoint
    RP410: 7/20/2012 9:42:37 PM - Windows Update
    RP411: 7/21/2012 1:29:38 PM - Scheduled Checkpoint
    RP412: 7/22/2012 1:27:18 PM - Scheduled Checkpoint
    RP413: 7/24/2012 8:58:48 AM - Windows Update
    RP414: 7/30/2012 1:36:39 PM - Scheduled Checkpoint
    RP415: 8/7/2012 2:25:29 AM - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    32 Bit HP CIO Components Installer
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.2
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Atheros Driver Installation Program
    Atheros Wi-Fi Protected Setup Library
    ATI Catalyst Install Manager
    Aurora 16.0a2 (x86 en-US)
    Bonjour
    BufferChm
    C4580
    C4580_Help
    Camera Assistant Software for Toshiba
    Cards_Calendar_OrderGift_DoMorePlugout
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Czech
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Greek
    Catalyst Control Center Localization Hungarian
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Polish
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    Catalyst Control Center Localization Thai
    Catalyst Control Center Localization Turkish
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CD/DVD Drive Acoustic Silencer
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DivX Web Player
    DocProc
    DocProcQFolder
    eSupportQFolder
    GearDrvs
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    GPBaseService
    GPBaseService2
    Hawkes Update Service Manager
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Imaging Device Functions 11.0
    HP Photosmart 5510 series Basic Device Software
    HP Photosmart 5510 series Help
    HP Photosmart C4500 All-In-One Driver Software 11.0 Rel .4
    HP Photosmart Essential 2.5
    HP Photosmart Essential 3.0
    HP Solution Center 13.0
    HP Update
    HPPhotoSmartPhotobookWebPack1
    HPProductAssistant
    iCloud
    iTunes
    Java(TM) 6 Update 6
    Malwarebytes Anti-Malware version 1.62.0.1300
    Medcin Server
    Medcin Student Edition
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Mozilla Maintenance Service
    MSVCSetup
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Network
    OCR Software by I.R.I.S. 11.0
    PanoStandAlone
    Prealgebra (Fall 2011 Student)
    PS_AIO_04_C4580_ProductContext
    PS_AIO_04_C4580_Software
    PS_AIO_04_C4580_Software_Min
    PSSWCORE
    QuickTime
    Realtek 8169 8168 8101E 8102E Ethernet Driver
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
    Skins
    Skype™ 4.0
    SolutionCenter
    Spelling Dictionaries Support For Adobe Reader 9
    Status
    Synaptics Pointing Device Driver
    Toolbox
    TOSHIBA ConfigFree
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Face Recognition
    TOSHIBA Hardware Setup
    TOSHIBA Software Modem
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    TrayApp
    Trend Micro Internet Security
    UnloadSupport
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VC80CRTRedist - 8.0.50727.762
    VideoToolkit01
    WebReg
    WildTangent Games
    .
    ==== End Of File ===========================
  5. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    here is the latest log from malwarebytes

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.07.30.06
    Windows Vista Service Pack 1 x86 NTFS
    Internet Explorer 8.0.6001.19088
    angela :: ANGELA-PC [administrator]
    8/7/2012 1:14:04 PM
    mbam-log-2012-08-07 (15-20-16).txt
    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 356666
    Time elapsed: 2 hour(s), 5 minute(s), 53 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 3
    C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) -> No action taken.
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\00000004.@ (Rootkit.Zaccess) -> No action taken.
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.
    (end)

    I went ahead and removed the threats and restarted the laptop for the changes to take place. any help is greatly appreciated.
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Download Farbar Recovery Scan Tool and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
  7. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    hello dragonmasterjay,
    thanks for your help in this issue. people like you are pretty awesome. my name is jon, 27 year old married father of 1. I like surfing the net but lately its been difficult. Ive tried to follow your steps listed above, but so far im having trouble getting the frst.exe program to run when in system recovery mode. it keeps telling me that the device is not ready in the command prompt screen. not sure what to do.,
  8. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    firgured it out. sorry. here is the log
    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 05-08-2012 01
    Ran by SYSTEM at 07-08-2012 17:46:13
    Running from F:\
    Windows Vista (TM) Home Premium Service Pack 1 (X86) OS Language: English(US)
    The current controlset is ControlSet001
    ========================== Registry (Whitelisted) =============
    HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [61440 2008-01-21] (Advanced Micro Devices, Inc.)
    HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [431456 2008-02-06] (TOSHIBA Corporation)
    HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [54608 2007-10-31] (TOSHIBA Corporation)
    HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [448080 2007-06-15] (TOSHIBA Corporation)
    HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [716800 2008-03-19] (TOSHIBA Corporation)
    HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1029416 2007-12-06] (Synaptics, Inc.)
    HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [81920 2008-06-01] (Hewlett-Packard)
    HKLM\...\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [995528 2009-10-20] (Trend Micro Inc.)
    HKLM\...\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [973488 2012-07-03] (Malwarebytes Corporation)
    HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-10-03] (Adobe Systems Incorporated)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [935288 2009-09-04] (Adobe Systems Incorporated)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
    HKU\angela\...\Run: [TOSCDSPD] TOSCDSPD.EXE [x]
    HKU\angela\...\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [497008 2008-07-29] (Trend Micro Inc.)
    HKU\angela\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [23975720 2009-01-29] (Skype Technologies S.A.)
    HKU\angela\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-03-30] (Google Inc.)
    HKU\angela\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
    HKU\angela\...\Run: [iCloudServices] C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59240 2011-10-05] (Apple Inc.)
    HKU\angela\...\Run: [ApplePhotoStreams] C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59240 2011-09-29] (Apple Inc.)
    HKU\angela\...\Run: [HP Photosmart 5510 series (NET)] "C:\Program Files\HP\HP Photosmart 5510 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN1AL09J9Z05NR:NW" -scfn "HP Photosmart 5510 series (NET)" -AutoStart 1 [1804648 2011-09-16] (Hewlett-Packard Co.)
    HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2008-04-24] (TOSHIBA)
    HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2008-04-24] (TOSHIBA)
    Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Hawkes Update Notifier.lnk
    ShortcutTarget: Hawkes Update Notifier.lnk -> C:\Program Files\Hawkes Learning Systems\Hawkes Update Service Manager\HawkesUpdater.exe (Hawkes Learning Systems )
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
    Startup: C:\Users\angela\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
    ================================ Services (Whitelisted) ==================
    2 ConfigFree Service; "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" [40960 2008-04-16] (TOSHIBA CORPORATION)
    2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
    3 GameConsoleService; "C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe" [250616 2009-06-05] (WildTangent, Inc.)
    2 gupdate1c9cb4b47f2ec10; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2009-05-02] (Google Inc.)
    2 HawkesUpdater; "C:\Program Files\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe" [8192 2003-04-18] ()
    3 jswpsapi; C:\Program Files\Jumpstart\jswpsapi.exe [954368 2008-04-16] (Atheros Communications, Inc.)
    2 medcinserv; "C:\Program Files\Medicomp\Server\medcinserv.exe" [536576 2010-12-16] (Medicomp Systems, Inc.)
    2 SfCtlCom; "C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe" [711248 2009-10-20] (Trend Micro Inc.)
    3 SmartFaceVWatchSrv; "C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe" [73728 2008-04-24] (Toshiba)
    2 TMBMServer; "C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service [341256 2009-03-03] (Trend Micro Inc.)
    2 TmPfw; "C:\Program Files\Trend Micro\Internet Security\TmPfw.exe" [497008 2009-09-03] (Trend Micro Inc.)
    2 TmProxy; "C:\Program Files\Trend Micro\Internet Security\TmProxy.exe" [677128 2009-09-03] (Trend Micro Inc.)
    2 TosCoSrv; "C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe" [431456 2008-02-06] (TOSHIBA Corporation)
    2 TOSHIBA SMART Log Service; "C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe" [126976 2007-12-03] (TOSHIBA Corporation)
    ========================== Drivers (Whitelisted) =============
    3 SVRPEDRV; \??\C:\Windows\System32\sysprep\PEDrv.sys [9216 2008-01-18] (Inventec Corporation)
    2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [50192 2009-04-02] (Trend Micro Inc.)
    2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [153104 2009-04-02] (Trend Micro Inc.)
    2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [50192 2009-04-02] (Trend Micro Inc.)
    1 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [145424 2009-03-03] (Trend Micro Inc.)
    2 tmpreflt; C:\Windows\System32\DRIVERS\tmpreflt.sys [36368 2009-05-22] (Trend Micro Inc.)
    1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [80400 2009-03-03] (Trend Micro Inc.)
    2 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [256528 2009-03-03] (Trend Micro Inc.)
    2 tmxpflt; C:\Windows\System32\DRIVERS\tmxpflt.sys [225296 2009-05-22] (Trend Micro Inc.)
    3 UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [18432 2007-12-17] (Chicony Electronics Co., Ltd.)
    2 vsapint; C:\Windows\System32\DRIVERS\vsapint.sys [1220120 2009-05-21] (Trend Micro Inc.)
    3 IO_Memory; \??\C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============
    2012-08-07 17:45 - 2012-08-07 17:45 - 00000000 ____D C:\FRST
    2012-08-07 13:38 - 2012-08-07 13:31 - 00892958 ____A (Farbar) C:\Users\angela\Desktop\FRST.exe
    2012-08-07 07:37 - 2012-08-07 07:37 - 00138848 ____A C:\Windows\Minidump\Mini080712-01.dmp
    2012-08-07 07:29 - 2012-08-07 07:29 - 00000805 ____A C:\Users\angela\Desktop\gmer.log
    2012-07-27 04:55 - 2012-07-27 04:55 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-24 16:12 - 2012-07-24 16:12 - 00000000 ____D C:\Users\angela\AppData\Local\Macromedia
    2012-07-23 16:56 - 2012-08-07 10:52 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-23 16:56 - 2012-08-03 13:52 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-07-21 11:38 - 2012-07-21 11:38 - 00000000 ____D C:\Users\angela\Desktop\101KC310
    2012-07-12 16:16 - 2012-07-12 16:22 - 00000000 ____D C:\Users\angela\AppData\Local\Apple Computer
    2012-07-12 16:16 - 2012-07-12 16:16 - 00001675 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-07-12 16:11 - 2009-05-18 09:17 - 00026600 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
    2012-07-12 16:11 - 2008-04-17 08:12 - 00107368 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi.dll
    2012-07-12 16:09 - 2012-07-12 16:10 - 00000000 ____D C:\Users\All Users\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2012-07-12 16:09 - 2012-07-12 16:10 - 00000000 ____D C:\Program Files\iTunes
    2012-07-12 16:09 - 2012-07-12 16:09 - 00000000 ____D C:\Program Files\iPod
    ============ 3 Months Modified Files ========================
    2012-08-07 13:41 - 2009-02-10 18:56 - 09985961 ____A C:\Windows\TmComm.log
    2012-08-07 13:41 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-07 13:41 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-07 13:41 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-07 13:40 - 2006-11-02 05:01 - 00032622 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-07 13:40 - 2006-11-02 02:33 - 00004710 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-07 13:37 - 2009-07-03 19:48 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-07 13:31 - 2012-08-07 13:38 - 00892958 ____A (Farbar) C:\Users\angela\Desktop\FRST.exe
    2012-08-07 11:23 - 2008-01-20 18:47 - 00095342 ____A C:\Windows\PFRO.log
    2012-08-07 11:00 - 2009-07-03 19:48 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-07 10:52 - 2012-07-23 16:56 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-07 07:37 - 2012-08-07 07:37 - 00138848 ____A C:\Windows\Minidump\Mini080712-01.dmp
    2012-08-07 07:37 - 2009-03-03 13:36 - 248056596 ____A C:\Windows\MEMORY.DMP
    2012-08-07 07:29 - 2012-08-07 07:29 - 00000805 ____A C:\Users\angela\Desktop\gmer.log
    2012-08-06 21:15 - 2008-11-28 13:13 - 01218803 ____A C:\Windows\WindowsUpdate.log
    2012-08-06 19:36 - 2011-10-13 11:19 - 00004104 ____A C:\Windows\IE9_main.log
    2012-08-03 13:52 - 2012-07-23 16:56 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-03 13:52 - 2012-02-13 12:50 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-08-01 12:03 - 2009-05-02 09:28 - 00001982 ____A C:\Users\Public\Desktop\Google Chrome.lnk
    2012-07-24 04:54 - 2009-02-02 10:20 - 00001356 ____A C:\Users\angela\AppData\Local\d3d9caps.dat
    2012-07-21 07:27 - 2012-01-10 17:35 - 00000917 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-12 16:16 - 2012-07-12 16:16 - 00001675 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-07-10 23:01 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-07-03 09:46 - 2010-04-29 17:29 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-05-31 08:25 - 2010-03-29 15:06 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

    ZeroAccess:
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\@
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\L
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\L\00000004.@
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\L\201d3dde
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\00000004.@
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\00000008.@
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\000000cb.@
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\80000000.@
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\80000032.@
    ZeroAccess:
    C:\Users\angela\AppData\Local\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}
    C:\Users\angela\AppData\Local\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\@
    C:\Users\angela\AppData\Local\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\L
    C:\Users\angela\AppData\Local\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U
    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini
    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 5DC3C54FC22BBB6F66C290C7C0384DF9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ========================= Memory info ======================
    Percentage of memory in use: 13%
    Total physical RAM: 2813.1 MB
    Available physical RAM: 2428.11 MB
    Total Pagefile: 2612.97 MB
    Available Pagefile: 2476.21 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1974.31 MB
    ======================= Partitions =========================
    1 Drive c: (SQ004720V05) (Fixed) (Total:225.52 GB) (Free:140.75 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS
    4 Drive f: () (Removable) (Total:3.76 GB) (Free:3.39 GB) FAT32
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 233 GB 0 B
    Disk 1 Online 3856 MB 0 B
    Disk 2 No Media 0 B 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 1500 MB 1024 KB
    Partition 2 Primary 226 GB 1501 MB
    Partition 3 Primary 6040 MB 227 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C SQ004720V05 NTFS Partition 226 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 3
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: No
    There is no volume associated with this partition.
    ==================================================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3856 MB 32 KB
    ==================================================================================
    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 F FAT32 Removable 3856 MB Healthy
    ==================================================================================
    ==========================================================
    Last Boot: 2012-08-07 13:32
    ======================= End Of Log ==========================
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi Jon! Good work there...we'll get this cleaned up ASAP! :)

    Additional FRST Scan

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply.
  10. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    hey dmj, thanks for your help so far. here is a log from the services.exe search.

    Farbar Recovery Scan Tool Version: 05-08-2012 01
    Ran by SYSTEM at 2012-08-08 09:04:10
    Running from G:\
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-01-20 18:24] - [2008-01-20 18:24] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
    C:\Windows\System32\services.exe
    [2008-01-20 18:24] - [2008-01-20 18:24] - 0279040 ____A (Microsoft Corporation) 5DC3C54FC22BBB6F66C290C7C0384DF9
    C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-09-17 14:54] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
    === End Of Search ===
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  12. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    hey dragonmasterjay,
    here is a copy of the fixlog that you requested.
    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 01
    Ran by SYSTEM at 2012-08-09 09:17:42 Run:1
    Running from F:\
    ==============================================
    C:\Windows\Installer\{ebc961a9-e28e-4bf8-60ea-4fd39f364049} moved successfully.
    C:\Users\angela\AppData\Local\{ebc961a9-e28e-4bf8-60ea-4fd39f364049} moved successfully.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe copied successfully to C:\Windows\System32\services.exe
    ==== End of Fixlog ====
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay good. Back to Normal Mode in Windows...

    Scan for malware

    [​IMG] Please download Malwarebytes Anti-Malware from HERE.


    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Copy and paste the entire report in your next reply.
  14. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.08.10.01
    Windows Vista Service Pack 1 x86 NTFS
    Internet Explorer 8.0.6001.19088
    angela :: ANGELA-PC [administrator]
    8/9/2012 10:56:08 PM
    mbam-log-2012-08-09 (22-56-08).txt
    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 361566
    Time elapsed: 1 hour(s), 50 minute(s), 47 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 6
    C:\FRST\Quarantine\Desktop.ini (Trojan.0access) -> Quarantined and deleted successfully.
    C:\FRST\Quarantine\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\00000004.@ (Rootkit.Zaccess) -> Quarantined and deleted successfully.
    C:\FRST\Quarantine\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
    C:\FRST\Quarantine\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\FRST\Quarantine\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\80000000.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\FRST\Quarantine\{ebc961a9-e28e-4bf8-60ea-4fd39f364049}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
    (end)
  15. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    not sure if that was suppose to fix everything or not, but for some reason im still unable to check for windows updates, it says the service is not running when I try to. that isnt normal is it?
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    It's okay. We will solve that issue soon.

    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.
  17. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    RogueKiller V7.6.5 [08/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
    Started in : Normal mode
    User: angela [Admin rights]
    Mode: Scan -- Date: 08/10/2012 09:18:01
    ¤¤¤ Bad processes: 0 ¤¤¤
    ¤¤¤ Registry Entries: 3 ¤¤¤
    [HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver: [LOADED] ¤¤¤
    SSDT[64] : NtCreateKey @ 0x81FFDFA5 -> HOOKED (Unknown @ 0x88397000)
    SSDT[72] : NtCreateProcess @ 0x820AA72B -> HOOKED (Unknown @ 0x88396240)
    SSDT[73] : NtCreateProcessEx @ 0x820AA776 -> HOOKED (Unknown @ 0x88396500)
    SSDT[78] : NtCreateThread @ 0x820AA560 -> HOOKED (Unknown @ 0x88397E60)
    SSDT[123] : NtDeleteKey @ 0x81FCB83C -> HOOKED (Unknown @ 0x88397580)
    SSDT[126] : NtDeleteValueKey @ 0x81FC621F -> HOOKED (Unknown @ 0x88397840)
    SSDT[165] : NtLoadDriver @ 0x81F85AD0 -> HOOKED (Unknown @ 0x883981A0)
    SSDT[194] : NtOpenProcess @ 0x82027EF2 -> HOOKED (Unknown @ 0x88396A80)
    SSDT[324] : NtSetValueKey @ 0x81FFEDD1 -> HOOKED (Unknown @ 0x883972C0)
    SSDT[334] : NtTerminateProcess @ 0x81FF92F0 -> HOOKED (Unknown @ 0x88396D40)
    SSDT[358] : NtWriteVirtualMemory @ 0x82024033 -> HOOKED (Unknown @ 0x88397CC0)
    SSDT[382] : NtCreateThreadEx @ 0x82017F82 -> HOOKED (Unknown @ 0x88398000)
    SSDT[383] : NtCreateUserProcess @ 0x81FDEE26 -> HOOKED (Unknown @ 0x883967C0)
    S_SSDT[572] : Unknown -> HOOKED (Unknown @ 0x88398800)
    S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x88398620)
    ¤¤¤ Infection : ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost
    ::1 localhost

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD2500BEVS-26UST0 ATA Device +++++
    --- User ---
    [MBR] 90491ffc9df81997944036447b4caea5
    [BSP] 184e9a2b552b3be8ff90bd294c2c3797 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 230934 Mo
    2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 476026880 | Size: 6040 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[1].txt >>
    RKreport[1].txt
  18. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    RogueKiller V7.6.5 [08/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
    Started in : Normal mode
    User: angela [Admin rights]
    Mode: Remove -- Date: 08/10/2012 09:19:35
    ¤¤¤ Bad processes: 0 ¤¤¤
    ¤¤¤ Registry Entries: 3 ¤¤¤
    [HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> REPLACED (1)
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver: [LOADED] ¤¤¤
    SSDT[64] : NtCreateKey @ 0x81FFDFA5 -> HOOKED (Unknown @ 0x88397000)
    SSDT[72] : NtCreateProcess @ 0x820AA72B -> HOOKED (Unknown @ 0x88396240)
    SSDT[73] : NtCreateProcessEx @ 0x820AA776 -> HOOKED (Unknown @ 0x88396500)
    SSDT[78] : NtCreateThread @ 0x820AA560 -> HOOKED (Unknown @ 0x88397E60)
    SSDT[123] : NtDeleteKey @ 0x81FCB83C -> HOOKED (Unknown @ 0x88397580)
    SSDT[126] : NtDeleteValueKey @ 0x81FC621F -> HOOKED (Unknown @ 0x88397840)
    SSDT[165] : NtLoadDriver @ 0x81F85AD0 -> HOOKED (Unknown @ 0x883981A0)
    SSDT[194] : NtOpenProcess @ 0x82027EF2 -> HOOKED (Unknown @ 0x88396A80)
    SSDT[324] : NtSetValueKey @ 0x81FFEDD1 -> HOOKED (Unknown @ 0x883972C0)
    SSDT[334] : NtTerminateProcess @ 0x81FF92F0 -> HOOKED (Unknown @ 0x88396D40)
    SSDT[358] : NtWriteVirtualMemory @ 0x82024033 -> HOOKED (Unknown @ 0x88397CC0)
    SSDT[382] : NtCreateThreadEx @ 0x82017F82 -> HOOKED (Unknown @ 0x88398000)
    SSDT[383] : NtCreateUserProcess @ 0x81FDEE26 -> HOOKED (Unknown @ 0x883967C0)
    S_SSDT[572] : Unknown -> HOOKED (Unknown @ 0x88398800)
    S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x88398620)
    ¤¤¤ Infection : ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost
    ::1 localhost

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD2500BEVS-26UST0 ATA Device +++++
    --- User ---
    [MBR] 90491ffc9df81997944036447b4caea5
    [BSP] 184e9a2b552b3be8ff90bd294c2c3797 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 230934 Mo
    2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 476026880 | Size: 6040 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt
  19. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    Time : 10/08/2012 09:18:01
    --------------------------

    Time : 10/08/2012 09:19:35
    --------------------------

    Time : 10/08/2012 09:20:46
    --------------------------
  20. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    not sure about that last one, but it was the text file that was in folder- rk_quarantine after the initial scan
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
  22. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    ComboFix 12-08-10.01 - angela 08/11/2012 12:47:36.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2813.1520 [GMT -4:00]
    Running from: c:\users\angela\Desktop\ComboFix.exe
    AV: Trend Micro Internet Security *Disabled/Outdated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
    FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
    SP: Trend Micro Internet Security *Disabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\angela\AppData\Roaming\alggui.exe
    c:\users\angela\AppData\Roaming\scdata
    c:\users\angela\AppData\Roaming\scdata\images\i1.gif
    c:\users\angela\AppData\Roaming\scdata\images\i2.gif
    c:\users\angela\AppData\Roaming\scdata\images\i3.gif
    c:\users\angela\AppData\Roaming\scdata\images\j1.gif
    c:\users\angela\AppData\Roaming\scdata\images\j2.gif
    c:\users\angela\AppData\Roaming\scdata\images\j3.gif
    c:\users\angela\AppData\Roaming\scdata\images\jj1.gif
    c:\users\angela\AppData\Roaming\scdata\images\jj2.gif
    c:\users\angela\AppData\Roaming\scdata\images\jj3.gif
    c:\users\angela\AppData\Roaming\scdata\images\l1.gif
    c:\users\angela\AppData\Roaming\scdata\images\l2.gif
    c:\users\angela\AppData\Roaming\scdata\images\l3.gif
    c:\users\angela\AppData\Roaming\scdata\images\pix.gif
    c:\users\angela\AppData\Roaming\scdata\images\t1.gif
    c:\users\angela\AppData\Roaming\scdata\images\t2.gif
    c:\users\angela\AppData\Roaming\scdata\images\Thumbs.db
    c:\users\angela\AppData\Roaming\scdata\images\up1.gif
    c:\users\angela\AppData\Roaming\scdata\images\up2.gif
    c:\users\angela\AppData\Roaming\scdata\images\w1.gif
    c:\users\angela\AppData\Roaming\scdata\images\w11.gif
    c:\users\angela\AppData\Roaming\scdata\images\w2.gif
    c:\users\angela\AppData\Roaming\scdata\images\w3.jpg
    c:\users\angela\AppData\Roaming\scdata\images\word.doc
    c:\users\angela\AppData\Roaming\scdata\images\wt1.gif
    c:\users\angela\AppData\Roaming\scdata\images\wt2.gif
    c:\users\angela\AppData\Roaming\scdata\images\wt3.gif
    c:\users\angela\AppData\Roaming\scdata\wispex.html
    c:\users\angela\AppData\Roaming\skynet.dat
    c:\users\angela\AppData\Roaming\wp3.dat
    c:\users\angela\AppData\Roaming\wp4.dat
    c:\users\angela\Documents\~WRL0866.tmp
    c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
    c:\windows\system32\pt
    c:\windows\system32\pt\smartfacevcp.dll.mui
    c:\windows\system32\pt\toscdspd.cpl.mui
    c:\windows\system32\service
    c:\windows\system32\service\10042010_TIS17_SfFniAU.log
    c:\windows\system32\service\16012012_TIS17_SfFniAU.log
    c:\windows\system32\service\17022009_TIS17_SfFniAU.log
    c:\windows\system32\service\20062011_TIS17_SfFniAU.log
    c:\windows\TEMP\mia45\mEXEFunc.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-11 to 2012-08-11 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-11 17:00 . 2012-08-11 17:00 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-08 01:45 . 2012-08-08 01:45 -------- d-----w- C:\FRST
    2012-07-27 12:55 . 2012-07-27 12:55 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-25 00:12 . 2012-07-25 00:12 -------- d-----w- c:\users\angela\AppData\Local\Macromedia
    2012-07-24 13:00 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{59D4FD3F-CE2D-4008-BCB7-9B8BACC8CA74}\mpengine.dll
    2012-07-24 00:56 . 2012-08-03 21:52 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-13 00:16 . 2012-07-13 00:22 -------- d-----w- c:\users\angela\AppData\Local\Apple Computer
    2012-07-13 00:11 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-07-13 00:11 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2012-07-13 00:09 . 2012-07-13 00:09 -------- d-----w- c:\program files\iPod
    2012-07-13 00:09 . 2012-07-13 00:10 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2012-07-13 00:09 . 2012-07-13 00:10 -------- d-----w- c:\program files\iTunes
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-03 21:52 . 2012-02-13 20:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-03 17:46 . 2010-04-30 01:29 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-05-31 16:25 . 2010-03-29 23:06 237072 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-30 39408]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2011-10-06 59240]
    "ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2011-09-29 59240]
    "HP Photosmart 5510 series (NET)"="c:\program files\HP\HP Photosmart 5510 series\Bin\ScanToPCActivationApp.exe" [2011-09-16 1804648]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
    "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 81920]
    "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-07-03 973488]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    .
    c:\users\angela\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Hawkes Update Notifier.lnk - c:\program files\Hawkes Learning Systems\Hawkes Update Service Manager\HawkesUpdater.exe [2011-11-23 3140288]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-26 214360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
    2008-04-29 18:33 417792 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
    2008-04-08 23:14 6037504 ----a-w- c:\windows\RtHDVCpl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2007-12-07 02:12 1029416 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-11 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-24 21:52]
    .
    2012-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-02 17:27]
    .
    2012-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-02 17:27]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = <local>;*.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    FF - ProfilePath - c:\users\angela\AppData\Roaming\Mozilla\Firefox\Profiles\si4rnafn.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
    MSConfigStartUp-cfFncEnabler - cfFncEnabler.exe
    MSConfigStartUp-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe
    MSConfigStartUp-NDSTray - NDSTray.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-11 13:07
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\WLANExt.exe
    c:\program files\Trend Micro\BM\TMBMSRV.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe
    c:\program files\Medicomp\Server\medcinserv.exe
    c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
    c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
    c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Skype\Plugin Manager\skypePM.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files\HP\HP Photosmart 5510 series\Bin\HPNetworkCommunicator.exe
    c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-08-11 13:11:50 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-11 17:11
    .
    Pre-Run: 151,130,435,584 bytes free
    Post-Run: 152,286,380,032 bytes free
    .
    - - End Of File - - 74A93BD2C0D7310A1D209DBD90CD72B5
  23. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    things are looking pretty good over here :)
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Scan with Malwarebytes' Anti-Malware

    Please open Malwarebytes' Anti-Malware, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.
  25. jondjames

    jondjames TS Rookie Topic Starter Posts: 22

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.08.12.06
    Windows Vista Service Pack 1 x86 NTFS
    Internet Explorer 8.0.6001.19088
    angela :: ANGELA-PC [administrator]
    8/12/2012 8:22:30 PM
    mbam-log-2012-08-12 (20-22-30).txt
    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 351918
    Time elapsed: 1 hour(s), 54 minute(s), 59 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.