TechSpot

Tidserv 2 removal help needed

By Henleyz
May 29, 2010
  1. Getting the tidswerv 2 pop up periodically. Have read and followed the 8-step instrictions.

    Thanks in advance for your help.

    Logs Below:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4155

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    5/29/2010 10:27:40 PM
    mbam-log-2010-05-29 (22-27-40).txt

    Scan type: Quick scan
    Objects scanned: 159443
    Time elapsed: 7 minute(s), 49 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 3
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\Zugo (Adware.Zugo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d425283-d487-4337-bab6-ab8354a81457} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{9d425283-d487-4337-bab6-ab8354a81457} (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\hclaxton.NTECH\AppData\Local\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Program Files\Search Toolbar\SearchToolbar.dll (Trojan.BHO) -> Delete on reboot.


    GMR

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-05-29 22:39:36
    Windows 6.0.6002 Service Pack 2
    Running: 1n5dvb7r.exe; Driver: C:\Users\HCLAXT~1.NTE\AppData\Local\Temp\kfgoifow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp wpsdrvnt.sys
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Udp wpsdrvnt.sys
    AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    Device -> \Driver\iaStor \Device\Harddisk0\DR0 861D2D01

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\system32\drivers\iaStor.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

    DDS


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by hclaxton at 22:52:26.43 on Sat 05/29/2010
    Internet Explorer: 7.0.6002.18005
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3062.1652 [GMT -4:00]

    AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    SP: Symantec Endpoint Protection *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
    C:\TOSHIBA\IVP\ISM\pinger.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
    C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe
    C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
    C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Citrix\GoToMeeting\366\g2mcomm.exe
    C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
    C:\Program Files\Citrix\GoToMeeting\366\g2mlauncher.exe
    C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
    C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\System32\svchost.exe -k swprv
    \\server1\RedirFolders\hclaxton\Desktop\Malware Tech Files\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
    mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
    uInternet Settings,ProxyServer = 192.168.201.3:8080
    BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
    TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
    uRun: [GoToMeeting] c:\program files\citrix\gotomeeting\366\g2mstart.exe "/Trigger RunAtLogon"
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\users\hclaxt~1.nte\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 9\SnagIt32.exe
    uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
    uPolicies-system: SetVisualStyle =
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ============= SERVICES / DRIVERS ===============

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-29 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-29 267432]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-29 60936]
    R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
    R2 msftesql$PROPHETSQL;SQL Server FullText Search (PROPHETSQL);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2007-6-22 95592]
    R2 MSSQL$PROPHETSQL;SQL Server (PROPHETSQL);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
    R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-2-14 2440120]
    R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
    R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-11-16 187904]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
    R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-11-16 48472]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-2-14 23888]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

    =============== Created Last 30 ================

    2010-05-30 02:18:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-05-30 02:18:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-30 02:06:49 336979633 ----a-w- c:\windows\MEMORY.DMP
    2010-05-29 19:18:40 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-05-29 19:03:45 0 d-----w- c:\program files\Windows Portable Devices
    2010-05-29 19:03:03 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
    2010-05-29 18:53:45 92672 ----a-w- c:\windows\system32\UIAnimation.dll
    2010-05-29 18:53:44 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
    2010-05-29 18:53:44 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
    2010-05-29 18:50:58 4096 ----a-w- c:\windows\system32\oleaccrc.dll
    2010-05-29 18:50:57 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
    2010-05-29 18:50:57 234496 ----a-w- c:\windows\system32\oleacc.dll
    2010-05-29 18:38:27 0 d-----w- c:\windows\SQL9_KB970892_ENU
    2010-05-29 18:35:36 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-05-29 18:35:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2010-05-29 18:35:33 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-05-29 18:29:45 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-05-29 18:29:05 60928 ----a-w- c:\windows\system32\msasn1.dll
    2010-05-29 18:27:59 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2010-05-29 18:27:59 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-05-29 18:27:59 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-05-29 18:27:55 355328 ----a-w- c:\windows\system32\WSDApi.dll
    2010-05-29 18:27:51 243712 ----a-w- c:\windows\system32\rastls.dll
    2010-05-29 18:27:47 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-05-29 18:27:46 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-05-29 18:27:46 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-05-29 18:26:50 310784 ----a-w- c:\windows\system32\unregmp2.exe
    2010-05-29 18:26:48 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-05-29 18:25:59 62464 ----a-w- c:\windows\system32\l3codeca.acm
    2010-05-29 18:25:59 220672 ----a-w- c:\windows\system32\l3codecp.acm
    2010-05-29 18:25:55 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2010-05-29 18:25:54 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2010-05-29 18:25:51 738816 ----a-w- c:\windows\system32\inetcomm.dll
    2010-05-29 18:23:22 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
    2010-05-29 17:55:06 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-05-29 17:55:05 0 d-----w- c:\programdata\Avira
    2010-05-29 17:55:05 0 d-----w- c:\program files\Avira
    2010-05-27 02:41:42 65536 --sha-w- c:\users\hclaxton.ntech\ntuser.dat{16b78664-6937-11df-a95a-001e68291fcc}.TM.blf
    2010-05-27 02:41:42 524288 --sha-w- c:\users\hclaxton.ntech\ntuser.dat{16b78664-6937-11df-a95a-001e68291fcc}.TMContainer00000000000000000002.regtrans-ms
    2010-05-27 02:41:42 524288 --sha-w- c:\users\hclaxton.ntech\ntuser.dat{16b78664-6937-11df-a95a-001e68291fcc}.TMContainer00000000000000000001.regtrans-ms
    2010-05-25 21:27:20 0 d-----w- c:\users\hclaxt~1.nte\appdata\roaming\Malwarebytes
    2010-05-25 21:27:09 0 d-----w- c:\programdata\Malwarebytes
    2010-05-25 21:27:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-17 02:14:43 0 d-----w- c:\program files\Search Toolbar
    2010-05-17 02:14:22 0 d-----w- c:\program files\File Extension Finder
    2010-05-12 13:25:22 1542605 ----a-w- c:\users\hclaxton.ntech\Hotel_Equities_Brochure.pdf
    2010-05-10 21:22:56 73577 ----a-w- c:\users\hclaxton.ntech\PublicAgenda-1021[1].pdf
    2010-05-10 21:22:24 73552 ----a-w- c:\users\hclaxton.ntech\PublicAgenda-1020[1].pdf
    2010-05-10 21:20:16 77543 ----a-w- c:\users\hclaxton.ntech\PublicAgenda-1022[1].pdf
    2010-05-10 19:35:25 35328 ----a-w- c:\users\hclaxton.ntech\7_ways_to_increase_profits[1].doc
    2010-05-10 02:52:25 0 ----a-w- C:\t1h8.2
    2010-05-05 18:10:23 37767 ----a-w- c:\users\hclaxton.ntech\ppl grp app.pdf

    ==================== Find3M ====================

    2010-05-29 19:03:17 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-05-29 19:03:17 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-05-29 19:03:17 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-05-29 19:03:17 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-09 15:42:17 834048 ----a-w- c:\windows\system32\wininet.dll
    2010-03-04 17:33:45 430080 ----a-w- c:\windows\system32\vbscript.dll
    2008-01-21 02:41:56 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-12-31 00:12:10 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
    2009-11-26 20:06:53 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009112620091127\index.dat
    2009-12-31 00:12:10 131072 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009123020091231\index.dat
    2008-07-18 06:46:01 14 --sha-r- c:\windows\system32\drivers\fbd.sys
    2008-07-18 06:45:59 5 --sha-r- c:\windows\system32\drivers\taishop.sys

    ============= FINISH: 22:52:53.34 ===============
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please, don't zip attached files.

    You're running two AV programs, Norton and Avira. One of them has to go.
    If Norton (preferably), make sure to use Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
    If you remove Norton, make sure to turn Windows firewall on.

    When done...

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
  3. Henleyz

    Henleyz TS Rookie Topic Starter Posts: 21

    My apologies for zipping the attachment.

    Had to remove Avira and keep Norton

    Not able to run TDSSKiller from the desktop, "location not valid". See attached msg.
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Then, try TDSSKiller again.
     
  5. Henleyz

    Henleyz TS Rookie Topic Starter Posts: 21

    Ran RKill and exeHelper, exehelper log attached. Still can not run TDSSKiller.
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please download ComboFix from Here or Here, but rename combofix.exe to broni.com BEFORE saving the file to your Desktop.

    Run rKill first and then follow what's below...

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    3. Double click on combofix.exe & follow the prompts.
    4. When finished, it will produce a report for you.
    5. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. Henleyz

    Henleyz TS Rookie Topic Starter Posts: 21

    Combofix log is below. Going to get some sleep now. Will respond to your instructions in am tomorrow.

    Thanks again!


    ComboFix 10-05-29.03 - hclaxton 05/30/2010 1:01.2.2 - x86
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3062.1882 [GMT -4:00]
    Running from: \\server1\RedirFolders\hclaxton\Desktop\broni.com
    AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    SP: Symantec Endpoint Protection *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Search Toolbar
    c:\program files\Search Toolbar\icon.ico
    c:\program files\Search Toolbar\SearchToolbarUninstall.exe
    c:\program files\Search Toolbar\SearchToolbarUpdater.exe
    c:\users\hclaxton.NTECH\g2mdlhlpx.exe
    c:\users\hclaxton.NTECH\GoToAssistDownloadHelper.exe
    c:\users\hclaxton\g2mdlhlpx.exe
    c:\users\hclaxton\GoToAssistDownloadHelper.exe
    c:\windows\system32\Thumbs.db

    .
    ((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
    .

    2010-05-30 05:10 . 2010-05-30 05:10 -------- d-----w- c:\users\NAVITECH\AppData\Local\temp
    2010-05-30 05:10 . 2010-05-30 05:10 -------- d-----w- c:\users\hclaxton\AppData\Local\temp
    2010-05-30 05:10 . 2010-05-30 05:10 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-05-30 05:10 . 2010-05-30 05:10 -------- d-----w- c:\users\administrator\AppData\Local\temp
    2010-05-30 02:18 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-05-30 02:18 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-29 19:18 . 2010-05-29 19:18 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-05-29 19:03 . 2010-05-29 19:03 -------- d-----w- c:\program files\Windows Portable Devices
    2010-05-29 18:53 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
    2010-05-29 18:53 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
    2010-05-29 18:53 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
    2010-05-29 18:50 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
    2010-05-29 18:50 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
    2010-05-29 18:50 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
    2010-05-29 18:38 . 2010-05-29 18:38 -------- d-----w- c:\windows\SQL9_KB970892_ENU
    2010-05-29 18:35 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-05-29 18:35 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2010-05-29 18:35 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-05-29 18:29 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-05-29 18:29 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
    2010-05-29 18:27 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-05-29 18:27 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-05-29 18:27 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2010-05-29 18:27 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
    2010-05-29 18:27 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
    2010-05-29 18:27 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-05-29 18:27 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-05-29 18:27 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-05-29 18:26 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
    2010-05-29 18:26 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-05-29 18:25 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2010-05-29 18:25 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2010-05-29 18:25 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
    2010-05-29 18:23 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
    2010-05-25 21:27 . 2010-05-25 21:27 -------- d-----w- c:\users\hclaxton.NTECH\AppData\Roaming\Malwarebytes
    2010-05-25 21:27 . 2010-05-25 21:27 -------- d-----w- c:\programdata\Malwarebytes
    2010-05-25 21:27 . 2010-05-30 02:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-17 02:14 . 2010-05-17 02:14 -------- d-----w- c:\program files\File Extension Finder

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-30 04:56 . 2009-10-11 16:54 -------- d-----w- c:\users\hclaxton.NTECH\AppData\Roaming\Skype
    2010-05-30 04:11 . 2010-05-30 04:11 141288 ----a-w- c:\windows\system32\drivers\tsk1738.tmp
    2010-05-30 04:02 . 2009-10-11 16:56 -------- d-----w- c:\users\hclaxton.NTECH\AppData\Roaming\skypePM
    2010-05-29 19:18 . 2008-02-20 22:58 -------- d-----w- c:\program files\Java
    2010-05-29 19:10 . 2008-11-17 14:57 114968 ----a-w- c:\users\hclaxton.NTECH\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-05-29 19:05 . 2009-10-13 01:39 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-05-29 19:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-05-29 19:03 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-05-29 19:03 . 2010-05-29 19:03 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
    2010-05-29 18:58 . 2008-03-23 23:47 -------- d-----w- c:\programdata\Microsoft Help
    2010-05-29 18:39 . 2008-09-03 19:21 -------- d-----w- c:\program files\Microsoft SQL Server
    2010-05-29 17:48 . 2010-03-14 00:04 -------- d-----w- c:\program files\CCleaner
    2010-05-29 17:48 . 2010-03-15 21:35 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-05-29 17:48 . 2010-03-15 21:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-05-27 02:38 . 2009-10-11 16:54 -------- d-----r- c:\program files\Skype
    2010-05-27 02:38 . 2008-03-23 23:42 -------- d-----w- c:\program files\Microsoft Works
    2010-05-27 02:38 . 2008-02-20 22:36 -------- d-----w- c:\program files\Picasa2
    2010-05-27 02:38 . 2009-10-11 16:54 -------- d-----w- c:\program files\Common Files\Skype
    2010-05-27 02:38 . 2008-02-20 22:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-04-11 13:20 . 2010-04-11 13:20 -------- d-----w- c:\program files\3ivx
    2010-04-11 13:20 . 2010-04-11 13:20 -------- d-----w- c:\program files\Flip Video
    2010-04-11 13:20 . 2010-04-11 13:20 -------- d-----w- c:\programdata\Flip Video
    2010-04-09 15:53 . 2010-04-09 15:53 -------- d-----w- c:\program files\Essentials Codec Pack
    2010-04-09 02:34 . 2010-04-09 02:34 -------- d-----w- c:\users\hclaxton.NTECH\AppData\Roaming\Ulead Systems
    2010-03-09 16:25 . 2010-05-29 18:28 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-09 15:42 . 2010-05-29 18:28 834048 ----a-w- c:\windows\system32\wininet.dll
    2010-03-04 17:33 . 2010-05-29 18:24 430080 ----a-w- c:\windows\system32\vbscript.dll
    2008-07-18 06:46 . 2008-07-18 06:46 14 --sha-r- c:\windows\System32\drivers\fbd.sys
    2008-07-18 06:45 . 2008-07-18 06:45 5 --sha-r- c:\windows\System32\drivers\taishop.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GoToMeeting"="c:\program files\Citrix\GoToMeeting\366\g2mstart.exe" [2009-03-16 31552]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-30 1029416]
    "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
    "ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-18 431456]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-02-14 115560]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-26 413696]

    c:\users\hclaxton.NTECH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    SnagIt 9.lnk - c:\program files\TechSmith\SnagIt 9\SnagIt32.exe [2008-8-29 6824264]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "EnableLUA"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSimpleStartMenu"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
    "NoAutoUpdate"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux3"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1138454907-3716973143-615592971-1107\Scripts\Logon\0\0]
    "Script"=\\ntech.local\SysVol\ntech.local\scripts\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1138454907-3716973143-615592971-1107\Scripts\Logon\1\0]
    "Script"=\\ntech.local\SysVol\ntech.local\scripts\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1138454907-3716973143-615592971-500\Scripts\Logon\0\0]
    "Script"=\\ntech.local\SysVol\ntech.local\scripts\logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
    2008-01-22 22:25 712704 ----a-w- c:\program files\Toshiba\FlashCards\TCrdMain.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
    2007-10-26 00:41 413696 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
    2008-02-14 19:08 184320 ----a-w- c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2008-01-25 16:00 154136 ----a-w- c:\windows\System32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
    2007-10-24 17:02 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2008-01-25 16:00 141848 ----a-w- c:\windows\System32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMAgent]
    2007-12-14 03:52 143360 ----a-w- c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2008-01-25 16:00 129560 ----a-w- c:\windows\System32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
    2007-06-16 05:01 448080 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
    2008-01-30 00:38 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-21 02:21 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):c6,e8,5a,fd,b0,59,ca,01

    R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-02-14 23888]
    S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
    S2 msftesql$PROPHETSQL;SQL Server FullText Search (PROPHETSQL);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2007-06-22 95592]
    S2 MSSQL$PROPHETSQL;SQL Server (PROPHETSQL);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
    S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
    S3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-02-01 187904]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]
    S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-01-15 48472]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyServer = 192.168.201.3:8080
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
    WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
    WebBrowser-{9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
    Notify-GoToAssist - c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
    SafeBoot-Symantec Antvirus
    MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe



    **************************************************************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msftesql$PROPHETSQL]
    "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:pROPHETSQL"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ecache]
    "ImagePath"="system32\drivers\tsk1738.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-05-30 01:13:42
    ComboFix-quarantined-files.txt 2010-05-30 05:13

    Pre-Run: 171,429,785,600 bytes free
    Post-Run: 171,415,162,880 bytes free

    - - End Of File - - AE9A604EA4CD0D7803CD705CFC7A06BB
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Upload following files to http://www.virustotal.com/ for security check:
    - explorer.exe located @ C:\Windows
    - userinit.exe and svchost.exe located @ C:\Windows\System32
    Post scans results.

    ====================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\tsk1738.tmp
    
    DDS::
    uInternet Settings,ProxyServer = 192.168.201.3:8080
    
    Registry::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ecache]
    "ImagePath"="System32\drivers\ecache.sys"
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  9. Henleyz

    Henleyz TS Rookie Topic Starter Posts: 21

    Virustotal Scan Results Below. ComboFix results to follow.

    Explorer.exe

    Antivirus Version Last Update Result
    a-squared 4.5.0.50 2010.05.10 -
    AhnLab-V3 2010.05.30.00 2010.05.29 -
    AntiVir 8.2.1.242 2010.05.28 -
    Antiy-AVL 2.0.3.7 2010.05.26 -
    Authentium 5.2.0.5 2010.05.29 -
    Avast 4.8.1351.0 2010.05.30 -
    Avast5 5.0.332.0 2010.05.30 -
    AVG 9.0.0.787 2010.05.30 -
    BitDefender 7.2 2010.05.30 -
    CAT-QuickHeal 10.00 2010.05.29 -
    ClamAV 0.96.0.3-git 2010.05.30 -
    Comodo 4954 2010.05.30 -
    DrWeb 5.0.2.03300 2010.05.30 -
    eSafe 7.0.17.0 2010.05.27 -
    eTrust-Vet 35.2.7519 2010.05.29 -
    F-Prot 4.6.0.103 2010.05.29 -
    F-Secure 9.0.15370.0 2010.05.30 -
    Fortinet 4.1.133.0 2010.05.30 -
    GData 21 2010.05.30 -
    Ikarus T3.1.1.84.0 2010.05.30 -
    Jiangmin 13.0.900 2010.05.29 -
    Kaspersky 7.0.0.125 2010.05.30 -
    McAfee 5.400.0.1158 2010.05.30 -
    McAfee-GW-Edition 2010.1 2010.05.30 -
    Microsoft 1.5802 2010.05.30 -
    NOD32 5155 2010.05.30 -
    Norman 6.04.12 2010.05.30 -
    nProtect 2010-05-30.01 2010.05.30 -
    Panda 10.0.2.7 2010.05.29 -
    PCTools 7.0.3.5 2010.05.30 -
    Prevx 3.0 2010.05.30 -
    Rising 22.49.06.04 2010.05.30 -
    Sophos 4.53.0 2010.05.30 -
    Sunbelt 6376 2010.05.30 -
    Symantec 20101.1.0.89 2010.05.30 -
    TheHacker 6.5.2.0.290 2010.05.30 -
    TrendMicro 9.120.0.1004 2010.05.30 -
    TrendMicro-HouseCall 9.120.0.1004 2010.05.30 -
    VBA32 3.12.12.5 2010.05.29 -
    ViRobot 2010.5.20.2326 2010.05.28 -
    VirusBuster 5.0.27.0 2010.05.29 -
    Additional information
    File size: 2926592 bytes
    MD5 : d07d4c3038f3578ffce1c0237f2a1253
    SHA1 : 4b3bd605b63749ff255e048ca6f27aff95aec24a
    SHA256: 135dd05678c8997b45982d77298dbdd98061c9d4fe43d77866846012eb061a04
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x25E33
    timedatestamp.....: 0x49E01DA5 (Sat Apr 11 06:33:41 2009)
    machinetype.......: 0x14C (Intel I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x6BD15 0x6BE00 6.42 65eba3253a27a14fe8b3534030b7be61
    .data 0x6D000 0x2164 0x2000 0.83 8d2597b8ca27314e6e6987b53b153d90
    .rsrc 0x70000 0x2566A0 0x256800 7.04 e9c988e2d7bc4683dcec8a4fcb4b5c6d
    .reloc 0x2C7000 0x5A20 0x5C00 6.74 a3b567255330d05abe32eb8a34f61792

    ( 19 imports )

    > advapi32.dll: RegCloseKey, RegCreateKeyW, RegGetValueW, RegOpenKeyExW, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsW, UnregisterTraceGuids, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, EventWrite, EventEnabled, GetLengthSid, GetTokenInformation, OpenProcessToken, EventUnregister, EventRegister, GetUserNameW, RegDeleteValueW, RegEnumKeyExW, RegQueryInfoKeyW, TraceMessage, RegOpenKeyW, RegEnumKeyW, RegEnumValueW, CloseServiceHandle, OpenServiceW, OpenSCManagerW, QueryServiceStatus, CheckTokenMembership, ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, ConvertSidToStringSidW, StartServiceW, CreateWellKnownSid
    > browseui.dll: -, -
    > dwmapi.dll: DwmIsCompositionEnabled, -, DwmSetWindowAttribute, DwmEnableBlurBehindWindow, DwmQueryThumbnailSourceSize, DwmGetColorizationColor, DwmUpdateThumbnailProperties, DwmRegisterThumbnail, DwmUnregisterThumbnail
    > gdi32.dll: GetStockObject, CombineRgn, GetLayout, CreatePatternBrush, OffsetViewportOrgEx, GdiAlphaBlend, GetTextExtentPoint32W, ExtTextOutW, SetWindowOrgEx, GetPixel, PatBlt, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, GetBkColor, CreateCompatibleBitmap, OffsetWindowOrgEx, SetBkColor, GetTextExtentPointW, GetClipBox, CreateDIBSection, CreateRectRgnIndirect, SetTextColor, SetBkMode, GetTextMetricsW, CreateFontIndirectW, CreateSolidBrush, GetObjectW, DeleteObject, CreateCompatibleDC, SelectObject, BitBlt, DeleteDC, GetDeviceCaps
    > gdiplus.dll: GdiplusShutdown, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdiplusStartup, GdipCreateFromHDC, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipGetImageHeight, GdipGetImageWidth, GdipDisposeImage, GdipLoadImageFromFileICM, GdipLoadImageFromFile, GdipDeleteGraphics, GdipFree, GdipAlloc, GdipSetCompositingMode
    > kernel32.dll: GetSystemTime, GetFileAttributesW, FindClose, FindNextFileW, FindFirstFileW, GetLocalTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, FlushInstructionCache, RaiseException, GetSystemWindowsDirectoryW, SetLastError, ReadFile, GetFileSize, CreateFileW, InterlockedCompareExchange, LoadLibraryA, SystemTimeToFileTime, ExpandEnvironmentStringsW, GlobalGetAtomNameW, MultiByteToWideChar, GetEnvironmentVariableW, GetCurrentProcessId, GetModuleHandleW, lstrlenW, OpenEventW, SetEvent, GetBinaryTypeW, EnterCriticalSection, LeaveCriticalSection, GetSystemTimeAsFileTime, CompareFileTime, GlobalFree, GetTickCount, MulDiv, GetUserDefaultLangID, GetPrivateProfileIntW, GetCurrentThread, GetThreadPriority, GetCurrentThreadId, SetThreadPriority, CompareStringOrdinal, lstrcmpiW, HeapSetInformation, SetErrorMode, CreateMutexW, ReleaseMutex, GetTimeZoneInformation, SetFilePointer, SetProcessShutdownParameters, GetSystemDirectoryW, CreateEventW, SetTermsrvAppInstallMode, RegisterApplicationRestart, ExitProcess, GetModuleFileNameW, GetPrivateProfileStringW, HeapDestroy, InitializeCriticalSection, DeleteCriticalSection, GetCurrentProcess, GetProcessHeap, HeapAlloc, QueryPerformanceFrequency, GetFileAttributesExW, QueueUserWorkItem, GetLongPathNameW, GetProcessTimes, TerminateThread, GetProcessId, CreateIoCompletionPort, GetQueuedCompletionStatus, GetWindowsDirectoryW, FormatMessageW, QueryFullProcessImageNameW, GlobalAlloc, DuplicateHandle, GetCurrentDirectoryW, WideCharToMultiByte, WriteFile, DeactivateActCtx, ActivateActCtx, ReleaseActCtx, CreateActCtxW, FindResourceExW, LoadResource, LockResource, GetUserDefaultUILanguage, LoadLibraryW, GetProcAddress, FreeLibrary, WaitForSingleObject, CreateProcessW, GetCommandLineW, GetStartupInfoW, CreateThread, AssignProcessToJobObject, ResumeThread, Sleep, QueryInformationJobObject, LocalAlloc, LocalFree, CloseHandle, OpenProcess, SetPriorityClass, GetPriorityClass, CreateJobObjectW, SetInformationJobObject, GetLastError, InterlockedDecrement, InterlockedIncrement, HeapFree, UnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, InterlockedExchange, VirtualAlloc, VirtualFree, DelayLoadFailureHook
    > msvcrt.dll: memset, _unlock, _ftol2_sse, _except_handler4_common, __set_app_type, memcpy, free, memmove, realloc, __dllonexit, _lock, _onexit, _terminate@@YAXXZ, _controlfp, _vsnwprintf, malloc, __wgetmainargs, _cexit, _exit, __p__fmode, _XcptFilter, exit, _wcmdln, _initterm, _amsg_exit, __setusermatherr, _adjust_fdiv, __p__commode
    > ntdll.dll: NtOpenThreadToken, NtOpenProcessToken, RtlGetProductInfo, NtQueryInformationToken, NtClose, NtQueryInformationProcess, NtSetInformationProcess, WinSqmAddToStream, NtSetSystemInformation
    > ole32.dll: CoTaskMemFree, CoCreateInstance, CoRegisterClassObject, CoRevokeClassObject, CoGetClassObject, OleInitialize, OleUninitialize, CoGetObject, StringFromGUID2, CoUninitialize, CoInitialize, RevokeDragDrop, RegisterDragDrop, CoRegisterMessageFilter, CoMarshalInterThreadInterfaceInStream, CoGetInterfaceAndReleaseStream, CoTaskMemAlloc, CoCreateFreeThreadedMarshaler, DoDragDrop, CoInitializeEx, CreateBindCtx, CoFreeUnusedLibraries, PropVariantClear
    > oleaut32.dll: -, -, -, -, -, -
    > powrprof.dll: GetPwrCapabilities
    > propsys.dll: PSGetPropertyKeyFromName, PSPropertyKeyFromString, PSGetPropertyDescription, PSGetNameFromPropertyKey, VariantToBooleanWithDefault, VariantToInt32WithDefault, VariantToStringWithDefault, PSCreateMemoryPropertyStore, VariantToStringAlloc, PropVariantToStringAlloc
    > rpcrt4.dll: RpcBindingFree, RpcStringFreeW, RpcBindingFromStringBindingW, NdrClientCall2, RpcStringBindingComposeW, I_RpcExceptionFilter, RpcBindingSetAuthInfoExW
    > shdocvw.dll: -, -
    > shell32.dll: -, -, -, -, -, -, -, -, SHGetDesktopFolder, -, SHBindToFolderIDListParent, -, -, -, -, -, -, SHGetIDListFromObject, -, -, -, -, -, -, SHCreateShellItemArrayFromIDLists, -, -, SHCreateItemFromIDList, SHCreateShellItemArrayFromShellItem, -, -, SHBindToFolderIDListParentEx, SHChangeNotify, SHAddToRecentDocs, DuplicateIcon, -, -, -, ShellExecuteW, -, -, SHGetPathFromIDListA, SHUpdateRecycleBinIcon, SHGetKnownFolderIDList, SHGetFolderPathEx, SHFileOperationW, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -, -, -, -, -, -, -, ExtractIconExW, -, -, -, -, SHGetSpecialFolderLocation, -, -, SHBindToParent, Shell_NotifyIconW, SHGetFolderPathAndSubDirW, Shell_GetCachedImageIndexW, SHGetFolderPathW, -, SHEvaluateSystemCommandTemplate, -, -, -, -, -, -, -, -, -, -, -, SHBindToObject, -, ShellExecuteExW, -, -, SHGetSpecialFolderPathW, -, SHParseDisplayName, -, SHGetFolderLocation, -, -, -, -, -
    > shlwapi.dll: PathGetDriveNumberW, -, -, PathRemoveFileSpecW, -, -, SHRegGetUSValueW, -, StrDupW, PathQuoteSpacesW, -, -, -, -, StrChrIW, -, -, -, SHRegOpenUSKeyW, SHRegQueryUSValueW, StrCmpW, AssocQueryStringW, -, -, -, -, -, AssocQueryKeyW, PathParseIconLocationW, PathIsPrefixW, -, PathRemoveExtensionW, SHOpenRegStream2W, PathFileExistsW, -, -, -, -, PathFindExtensionW, SHQueryInfoKeyW, -, -, -, -, -, -, -, -, SHDeleteKeyW, PathAppendW, SHDeleteValueW, -, -, -, PathRemoveArgsW, PathRemoveBlanksW, StrCmpNIW, PathFindFileNameW, -, SHSetValueW, SHGetValueW, SHCreateThreadRef, SHSetThreadRef, -, -, PathCombineW, SHRegGetValueW, StrToIntW, -, -, -, PathGetArgsW, StrChrW, -, -, -, -, SHStrDupW, -, -, -, -, -, StrRetToBufW, -, -, -, -, -, -, StrRetToStrW, -, -, StrStrIW, -, -, PathMatchSpecW, PathIsRootW, PathIsNetworkPathW, SHQueryValueExW, AssocCreate, StrCmpIW, -, -, -, StrCmpNW, -, -, StrPBrkW, -, -, -, PathStripToRootW, -, PathIsDirectoryW, -
    > slc.dll: SLGetWindowsInformationDWORD
    > user32.dll: GetDlgItem, LoadCursorW, RegisterClassW, IsChild, SetTimer, MonitorFromRect, SetWindowTextW, SetClassLongW, GetClassInfoW, GetClassLongW, KillTimer, GetClassInfoExW, IsWindowEnabled, GetShellWindow, GetIconInfo, SetScrollInfo, GetLastActivePopup, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, IsWindowVisible, IsWindow, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, BeginDeferWindowPos, DeferWindowPos, EndDeferWindowPos, SetFocus, SetForegroundWindow, LoadMenuW, SetMenuInfo, SetMenuDefaultItem, GetSubMenu, TrackPopupMenuEx, LoadImageW, InsertMenuItemW, DestroyIcon, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharUpperBuffW, PostQuitMessage, LoadStringW, ShutdownBlockReasonCreate, GetWindowLongA, SetWindowLongW, UnregisterDeviceNotification, RegisterDeviceNotificationW, RegisterWindowMessageW, SetWindowPos, RegisterClassExW, GetDesktopWindow, UpdateWindow, InvalidateRect, BeginPaint, LoadBitmapW, SetLayeredWindowAttributes, EndPaint, ShowWindow, DefWindowProcW, MoveWindow, DestroyWindow, UnregisterClassW, SetProcessDPIAware, PeekMessageW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, GetKeyboardLayout, ActivateKeyboardLayout, IsProcessDPIAware, PrintWindow, GetDCEx, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, GetDlgCtrlID, ChildWindowFromPointEx, GetCapture, GetGUIThreadInfo, SetWindowLongA, CharUpperW, GetWindowDC, RegisterClipboardFormatW, UnhookWinEvent, SetWinEventHook, ReleaseCapture, GetUserObjectInformationW, GetProcessWindowStation, FlashWindowEx, GetForegroundWindow, PostMessageW, CreatePopupMenu, GetWindowThreadProcessId, MsgWaitForMultipleObjectsEx, CharPrevW, CharNextW, DispatchMessageW, TranslateMessage, GetMessageW, EqualRect, UnionRect, MapWindowPoints, GetClientRect, EnumWindows, EndTask, SetThreadDesktop, GetThreadDesktop, GetMenuItemID, IsHungAppWindow, DrawTextW, GetSysColor, TrackPopupMenu, SendMessageCallbackW, DeregisterShellHookWindow, EndDialog, IsDlgButtonChecked, LoadIconW, GetSysColorBrush, CloseDesktop, OpenInputDesktop, SetActiveWindow, IsRectEmpty, GetAsyncKeyState, RegisterShellHookWindow, FillRect, GetCursorPos, SetPropW, CopyRect, LockSetForegroundWindow, MonitorFromPoint, InflateRect, GetClassNameW, SubtractRect, RedrawWindow, EnumDisplayMonitors, OffsetRect, IntersectRect, SetWindowRgn, GetMenuState, GhostWindowFromHungWindow, HungWindowFromGhostWindow, GetWindowPlacement, RemovePropW, SendMessageTimeoutW, UnregisterHotKey, RegisterHotKey, InsertMenuW, ModifyMenuW, ClientToScreen, ScreenToClient, GetMenuItemCount, GetFocus, GetScrollInfo, InternalGetWindowText, GetKeyState, ChangeDisplaySettingsW, GetWindowLongW, EnumChildWindows, SendMessageW, GetWindow, GetWindowRect, PtInRect, SetCursor, ChildWindowFromPoint, SetCursorPos, GetMessagePos, LoadAcceleratorsW, WaitMessage, TranslateAcceleratorW, GetWindowRgnBox, GetActiveWindow, MessageBeep, SetWindowPlacement, SetRect, SendNotifyMessageW, UpdateLayeredWindow, GetLastInputInfo, SendDlgItemMessageW, AllowSetForegroundWindow, RemoveMenu, SetParent, CallWindowProcW, EnableWindow, GetDlgItemInt, SetDlgItemInt, CheckDlgButton, CopyIcon, DrawFocusRect, NotifyWinEvent, ExitWindowsEx, DrawEdge, WindowFromPoint, GetDoubleClickTime, SetCapture, TrackMouseEvent, LockWorkStation, AppendMenuW, GetParent, SetScrollPos, SetRectEmpty, AdjustWindowRectEx, BringWindowToTop, CascadeWindows, GetSystemMetrics, SystemParametersInfoW, FindWindowW, ReleaseDC, GetDC, DestroyMenu, GetMenuDefaultItem, TileWindows, GetAncestor, SwitchToThisWindow, CheckMenuItem, ShowWindowAsync
    > uxtheme.dll: IsCompositionActive, IsAppThemed, GetThemeMargins, GetThemeRect, IsThemePartDefined, GetThemeBackgroundRegion, DrawThemeTextEx, GetThemeFont, GetThemeColor, GetThemeBool, GetThemeInt, SetWindowTheme, DrawThemeText, GetThemeTextExtent, DrawThemeBackground, CloseThemeData, OpenThemeData, DrawThemeParentBackground, GetThemePartSize, GetThemeMetric, GetThemeBackgroundContentRect

    ( 0 exports )

    TrID : File type identification
    Win32 Executable Generic (42.3%)
    Win32 Dynamic Link Library (generic) (37.6%)
    Generic Win/DOS Executable (9.9%)
    DOS Executable Generic (9.9%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    ThreatExpert: http://www.threatexpert.com/report.aspx?md5=d07d4c3038f3578ffce1c0237f2a1253
    ssdeep: 24576:5d8uxOc/QpDk5pGYCW5uXSA7jTeFadRsxFb/g/J/ulZl:TOcLC8A7/eFwY3l/

    Userinit.exe

    Antivirus Version Last Update Result
    a-squared 4.5.0.50 2010.05.10 -
    AhnLab-V3 2010.05.25.00 2010.05.25 -
    AntiVir 8.2.1.242 2010.05.24 -
    Antiy-AVL 2.0.3.7 2010.05.24 -
    Authentium 5.2.0.5 2010.05.25 -
    Avast 4.8.1351.0 2010.05.24 -
    Avast5 5.0.332.0 2010.05.24 -
    AVG 9.0.0.787 2010.05.24 -
    BitDefender 7.2 2010.05.25 -
    CAT-QuickHeal 10.00 2010.05.25 -
    ClamAV 0.96.0.3-git 2010.05.25 -
    Comodo 4937 2010.05.25 -
    DrWeb 5.0.2.03300 2010.05.25 -
    eSafe 7.0.17.0 2010.05.24 -
    eTrust-Vet 35.2.7507 2010.05.24 -
    F-Prot 4.6.0.103 2010.05.24 -
    F-Secure 9.0.15370.0 2010.05.25 -
    Fortinet 4.1.133.0 2010.05.23 -
    GData 21 2010.05.25 -
    Ikarus T3.1.1.84.0 2010.05.25 -
    Jiangmin 13.0.900 2010.05.24 -
    Kaspersky 7.0.0.125 2010.05.25 -
    McAfee 5.400.0.1158 2010.05.25 -
    McAfee-GW-Edition 2010.1 2010.05.24 -
    Microsoft 1.5802 2010.05.25 -
    NOD32 5142 2010.05.24 -
    Norman 6.04.12 2010.05.24 -
    nProtect 2010-05-24.01 2010.05.24 -
    Panda 10.0.2.7 2010.05.24 -
    PCTools 7.0.3.5 2010.05.25 -
    Prevx 3.0 2010.05.25 -
    Rising 22.49.01.03 2010.05.25 -
    Sophos 4.53.0 2010.05.25 -
    Sunbelt 6351 2010.05.25 -
    Symantec 20101.1.0.89 2010.05.25 -
    TheHacker 6.5.2.0.287 2010.05.25 -
    TrendMicro 9.120.0.1004 2010.05.25 -
    TrendMicro-HouseCall 9.120.0.1004 2010.05.25 -
    VBA32 3.12.12.5 2010.05.22 -
    ViRobot 2010.5.20.2326 2010.05.25 -
    VirusBuster 5.0.27.0 2010.05.24 -
    Additional information
    File size: 25088 bytes
    MD5 : 0e135526e9785d085bcd9aede6fbcbf9
    SHA1 : d15244d41efddbab08d53fe032aedff39091d3af
    SHA256: 75eea7e5ae90d857b777361a0166f9a82e354f229fd5250af8738364e6fb45db
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x2AE5
    timedatestamp.....: 0x47918D87 (Sat Jan 19 06:41:27 2008)
    machinetype.......: 0x14C (Intel I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x4A2D 0x4C00 6.04 a21b68c5650468c1bc36f74b6c0ca26b
    .data 0x6000 0x498 0x600 0.71 1c4544d585aae74667954f292fb15884
    .rsrc 0x7000 0x780 0x800 4.04 9110c031f7af84bd01ee2d772a5521bd
    .reloc 0x8000 0x3D0 0x400 6.50 2e13e6c4860701e4a4d0db6e88af4c7c

    ( 0 imports )


    ( 0 exports )

    TrID : File type identification
    Win32 Executable MS Visual C++ (generic) (65.2%)
    Win32 Executable Generic (14.7%)
    Win32 Dynamic Link Library (generic) (13.1%)
    Generic Win/DOS Executable (3.4%)
    DOS Executable Generic (3.4%)
    ssdeep: 384:19KvuowvkKP3vaAf7MQHZa34SACInaPGvF6xUqYzuSSqm6qFWd3ymWfG:XwIPPZAJxGt/q6sqw1n

    Svchost.exe

    Antivirus Version Last Update Result
    a-squared 4.5.0.50 2010.05.10 -
    AhnLab-V3 2010.05.30.00 2010.05.29 -
    AntiVir 8.2.1.242 2010.05.28 -
    Antiy-AVL 2.0.3.7 2010.05.26 -
    Authentium 5.2.0.5 2010.05.29 -
    Avast 4.8.1351.0 2010.05.30 -
    Avast5 5.0.332.0 2010.05.30 -
    AVG 9.0.0.787 2010.05.30 -
    BitDefender 7.2 2010.05.30 -
    CAT-QuickHeal 10.00 2010.05.29 -
    ClamAV 0.96.0.3-git 2010.05.30 -
    Comodo 4956 2010.05.30 -
    DrWeb 5.0.2.03300 2010.05.30 -
    eSafe 7.0.17.0 2010.05.30 -
    eTrust-Vet 35.2.7519 2010.05.29 -
    F-Prot 4.6.0.103 2010.05.29 -
    F-Secure 9.0.15370.0 2010.05.30 -
    Fortinet 4.1.133.0 2010.05.30 -
    GData 21 2010.05.30 -
    Ikarus T3.1.1.84.0 2010.05.30 -
    Jiangmin 13.0.900 2010.05.30 -
    Kaspersky 7.0.0.125 2010.05.30 -
    McAfee 5.400.0.1158 2010.05.30 -
    McAfee-GW-Edition 2010.1 2010.05.30 -
    Microsoft 1.5802 2010.05.30 -
    NOD32 5155 2010.05.30 -
    Norman 6.04.12 2010.05.30 -
    nProtect 2010-05-30.01 2010.05.30 -
    Panda 10.0.2.7 2010.05.30 -
    PCTools 7.0.3.5 2010.05.30 -
    Rising 22.49.06.04 2010.05.30 -
    Sophos 4.53.0 2010.05.30 -
    Sunbelt 6377 2010.05.30 -
    Symantec 20101.1.0.89 2010.05.30 -
    TheHacker 6.5.2.0.290 2010.05.30 -
    TrendMicro 9.120.0.1004 2010.05.30 -
    TrendMicro-HouseCall 9.120.0.1004 2010.05.30 -
    VBA32 3.12.12.5 2010.05.29 -
    ViRobot 2010.5.20.2326 2010.05.28 -
    VirusBuster 5.0.27.0 2010.05.30 -
    Additional information
    File size: 21504 bytes
    MD5 : 3794b461c45882e06856f282eef025af
    SHA1 : bf15549a7ec01ac505ccac036aba5b9bae688135
    SHA256: d4f79d7bc639fe86ac68961e6273836b9d7af491773fd054395b33d317017beb
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x2083
    timedatestamp.....: 0x47918B89 (Sat Jan 19 06:32:57 2008)
    machinetype.......: 0x14C (Intel I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x3A24 0x3C00 6.21 5037917ca875679df4e24d44d02f02b4
    .data 0x5000 0x5EC 0x600 0.83 9203e7f188b0ecb11266e90e9a442853
    .rsrc 0x6000 0x818 0xA00 3.75 013fd325d2363ecadecd660d847876e8
    .reloc 0x7000 0x400 0x400 6.61 296b23856e7f7105159e55c33338cd9b

    ( 0 imports )


    ( 0 exports )

    TrID : File type identification
    Win32 Executable MS Visual C++ (generic) (65.2%)
    Win32 Executable Generic (14.7%)
    Win32 Dynamic Link Library (generic) (13.1%)
    Generic Win/DOS Executable (3.4%)
    DOS Executable Generic (3.4%)
    ThreatExpert: http://www.threatexpert.com/report.aspx?md5=3794b461c45882e06856f282eef025af
    ssdeep: 384:ZqBHgWPkbXKxUVkOsKVG3GI0yej4dT+VI2GEvmW9ZrbWxOHZ+:ZqBLO6xUVkOs8G3HGj4OISPw
     
  10. Henleyz

    Henleyz TS Rookie Topic Starter Posts: 21

    Virustotal scan results below. Combofix results to follow.

    Svchost.exe

    a-squared 4.5.0.50 2010.05.10 -
    AhnLab-V3 2010.05.30.00 2010.05.29 -
    AntiVir 8.2.1.242 2010.05.28 -
    Antiy-AVL 2.0.3.7 2010.05.26 -
    Authentium 5.2.0.5 2010.05.29 -
    Avast 4.8.1351.0 2010.05.30 -
    Avast5 5.0.332.0 2010.05.30 -
    AVG 9.0.0.787 2010.05.30 -
    BitDefender 7.2 2010.05.30 -
    CAT-QuickHeal 10.00 2010.05.29 -
    ClamAV 0.96.0.3-git 2010.05.30 -
    Comodo 4956 2010.05.30 -
    DrWeb 5.0.2.03300 2010.05.30 -
    eSafe 7.0.17.0 2010.05.30 -
    eTrust-Vet 35.2.7519 2010.05.29 -
    F-Prot 4.6.0.103 2010.05.29 -
    F-Secure 9.0.15370.0 2010.05.30 -
    Fortinet 4.1.133.0 2010.05.30 -
    GData 21 2010.05.30 -
    Ikarus T3.1.1.84.0 2010.05.30 -
    Jiangmin 13.0.900 2010.05.30 -
    Kaspersky 7.0.0.125 2010.05.30 -
    McAfee 5.400.0.1158 2010.05.30 -
    McAfee-GW-Edition 2010.1 2010.05.30 -
    Microsoft 1.5802 2010.05.30 -
    NOD32 5155 2010.05.30 -
    Norman 6.04.12 2010.05.30 -
    nProtect 2010-05-30.01 2010.05.30 -
    Panda 10.0.2.7 2010.05.30 -
    PCTools 7.0.3.5 2010.05.30 -
    Rising 22.49.06.04 2010.05.30 -
    Sophos 4.53.0 2010.05.30 -
    Sunbelt 6377 2010.05.30 -
    Symantec 20101.1.0.89 2010.05.30 -
    TheHacker 6.5.2.0.290 2010.05.30 -
    TrendMicro 9.120.0.1004 2010.05.30 -
    TrendMicro-HouseCall 9.120.0.1004 2010.05.30 -
    VBA32 3.12.12.5 2010.05.29 -
    ViRobot 2010.5.20.2326 2010.05.28 -
    VirusBuster 5.0.27.0 2010.05.30 -
    Additional information
    File size: 21504 bytes
    MD5 : 3794b461c45882e06856f282eef025af
    SHA1 : bf15549a7ec01ac505ccac036aba5b9bae688135
    SHA256: d4f79d7bc639fe86ac68961e6273836b9d7af491773fd054395b33d317017beb
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x2083
    timedatestamp.....: 0x47918B89 (Sat Jan 19 06:32:57 2008)
    machinetype.......: 0x14C (Intel I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x3A24 0x3C00 6.21 5037917ca875679df4e24d44d02f02b4
    .data 0x5000 0x5EC 0x600 0.83 9203e7f188b0ecb11266e90e9a442853
    .rsrc 0x6000 0x818 0xA00 3.75 013fd325d2363ecadecd660d847876e8
    .reloc 0x7000 0x400 0x400 6.61 296b23856e7f7105159e55c33338cd9b

    ( 0 imports )


    ( 0 exports )

    TrID : File type identification
    Win32 Executable MS Visual C++ (generic) (65.2%)
    Win32 Executable Generic (14.7%)
    Win32 Dynamic Link Library (generic) (13.1%)
    Generic Win/DOS Executable (3.4%)
    DOS Executable Generic (3.4%)


    Userinit.exe

    Antivirus Version Last Update Result
    a-squared 4.5.0.50 2010.05.10 -
    AhnLab-V3 2010.05.25.00 2010.05.25 -
    AntiVir 8.2.1.242 2010.05.24 -
    Antiy-AVL 2.0.3.7 2010.05.24 -
    Authentium 5.2.0.5 2010.05.25 -
    Avast 4.8.1351.0 2010.05.24 -
    Avast5 5.0.332.0 2010.05.24 -
    AVG 9.0.0.787 2010.05.24 -
    BitDefender 7.2 2010.05.25 -
    CAT-QuickHeal 10.00 2010.05.25 -
    ClamAV 0.96.0.3-git 2010.05.25 -
    Comodo 4937 2010.05.25 -
    DrWeb 5.0.2.03300 2010.05.25 -
    eSafe 7.0.17.0 2010.05.24 -
    eTrust-Vet 35.2.7507 2010.05.24 -
    F-Prot 4.6.0.103 2010.05.24 -
    F-Secure 9.0.15370.0 2010.05.25 -
    Fortinet 4.1.133.0 2010.05.23 -
    GData 21 2010.05.25 -
    Ikarus T3.1.1.84.0 2010.05.25 -
    Jiangmin 13.0.900 2010.05.24 -
    Kaspersky 7.0.0.125 2010.05.25 -
    McAfee 5.400.0.1158 2010.05.25 -
    McAfee-GW-Edition 2010.1 2010.05.24 -
    Microsoft 1.5802 2010.05.25 -
    NOD32 5142 2010.05.24 -
    Norman 6.04.12 2010.05.24 -
    nProtect 2010-05-24.01 2010.05.24 -
    Panda 10.0.2.7 2010.05.24 -
    PCTools 7.0.3.5 2010.05.25 -
    Prevx 3.0 2010.05.25 -
    Rising 22.49.01.03 2010.05.25 -
    Sophos 4.53.0 2010.05.25 -
    Sunbelt 6351 2010.05.25 -
    Symantec 20101.1.0.89 2010.05.25 -
    TheHacker 6.5.2.0.287 2010.05.25 -
    TrendMicro 9.120.0.1004 2010.05.25 -
    TrendMicro-HouseCall 9.120.0.1004 2010.05.25 -
    VBA32 3.12.12.5 2010.05.22 -
    ViRobot 2010.5.20.2326 2010.05.25 -
    VirusBuster 5.0.27.0 2010.05.24 -
    Additional information
    File size: 25088 bytes
    MD5 : 0e135526e9785d085bcd9aede6fbcbf9
    SHA1 : d15244d41efddbab08d53fe032aedff39091d3af
    SHA256: 75eea7e5ae90d857b777361a0166f9a82e354f229fd5250af8738364e6fb45db
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x2AE5
    timedatestamp.....: 0x47918D87 (Sat Jan 19 06:41:27 2008)
    machinetype.......: 0x14C (Intel I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x4A2D 0x4C00 6.04 a21b68c5650468c1bc36f74b6c0ca26b
    .data 0x6000 0x498 0x600 0.71 1c4544d585aae74667954f292fb15884
    .rsrc 0x7000 0x780 0x800 4.04 9110c031f7af84bd01ee2d772a5521bd
    .reloc 0x8000 0x3D0 0x400 6.50 2e13e6c4860701e4a4d0db6e88af4c7c

    ( 0 imports )


    ( 0 exports )

    TrID : File type identification
    Win32 Executable MS Visual C++ (generic) (65.2%)
    Win32 Executable Generic (14.7%)
    Win32 Dynamic Link Library (generic) (13.1%)
    Generic Win/DOS Executable (3.4%)
    DOS Executable Generic (3.4%)


    Explorer.exe

    Antivirus Version Last Update Result
    a-squared 4.5.0.50 2010.05.10 -
    AhnLab-V3 2010.05.30.00 2010.05.29 -
    AntiVir 8.2.1.242 2010.05.28 -
    Antiy-AVL 2.0.3.7 2010.05.26 -
    Authentium 5.2.0.5 2010.05.29 -
    Avast 4.8.1351.0 2010.05.30 -
    Avast5 5.0.332.0 2010.05.30 -
    AVG 9.0.0.787 2010.05.30 -
    BitDefender 7.2 2010.05.30 -
    CAT-QuickHeal 10.00 2010.05.29 -
    ClamAV 0.96.0.3-git 2010.05.30 -
    Comodo 4954 2010.05.30 -
    DrWeb 5.0.2.03300 2010.05.30 -
    eSafe 7.0.17.0 2010.05.27 -
    eTrust-Vet 35.2.7519 2010.05.29 -
    F-Prot 4.6.0.103 2010.05.29 -
    F-Secure 9.0.15370.0 2010.05.30 -
    Fortinet 4.1.133.0 2010.05.30 -
    GData 21 2010.05.30 -
    Ikarus T3.1.1.84.0 2010.05.30 -
    Jiangmin 13.0.900 2010.05.29 -
    Kaspersky 7.0.0.125 2010.05.30 -
    McAfee 5.400.0.1158 2010.05.30 -
    McAfee-GW-Edition 2010.1 2010.05.30 -
    Microsoft 1.5802 2010.05.30 -
    NOD32 5155 2010.05.30 -
    Norman 6.04.12 2010.05.30 -
    nProtect 2010-05-30.01 2010.05.30 -
    Panda 10.0.2.7 2010.05.29 -
    PCTools 7.0.3.5 2010.05.30 -
    Prevx 3.0 2010.05.30 -
    Rising 22.49.06.04 2010.05.30 -
    Sophos 4.53.0 2010.05.30 -
    Sunbelt 6376 2010.05.30 -
    Symantec 20101.1.0.89 2010.05.30 -
    TheHacker 6.5.2.0.290 2010.05.30 -
    TrendMicro 9.120.0.1004 2010.05.30 -
    TrendMicro-HouseCall 9.120.0.1004 2010.05.30 -
    VBA32 3.12.12.5 2010.05.29 -
    ViRobot 2010.5.20.2326 2010.05.28 -
    VirusBuster 5.0.27.0 2010.05.29 -
    Additional information
    File size: 2926592 bytes
    MD5 : d07d4c3038f3578ffce1c0237f2a1253
    SHA1 : 4b3bd605b63749ff255e048ca6f27aff95aec24a
    SHA256: 135dd05678c8997b45982d77298dbdd98061c9d4fe43d77866846012eb061a04
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x25E33
    timedatestamp.....: 0x49E01DA5 (Sat Apr 11 06:33:41 2009)
    machinetype.......: 0x14C (Intel I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x6BD15 0x6BE00 6.42 65eba3253a27a14fe8b3534030b7be61
    .data 0x6D000 0x2164 0x2000 0.83 8d2597b8ca27314e6e6987b53b153d90
    .rsrc 0x70000 0x2566A0 0x256800 7.04 e9c988e2d7bc4683dcec8a4fcb4b5c6d
    .reloc 0x2C7000 0x5A20 0x5C00 6.74 a3b567255330d05abe32eb8a34f61792

    ( 19 imports )

    > advapi32.dll: RegCloseKey, RegCreateKeyW, RegGetValueW, RegOpenKeyExW, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsW, UnregisterTraceGuids, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, EventWrite, EventEnabled, GetLengthSid, GetTokenInformation, OpenProcessToken, EventUnregister, EventRegister, GetUserNameW, RegDeleteValueW, RegEnumKeyExW, RegQueryInfoKeyW, TraceMessage, RegOpenKeyW, RegEnumKeyW, RegEnumValueW, CloseServiceHandle, OpenServiceW, OpenSCManagerW, QueryServiceStatus, CheckTokenMembership, ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, ConvertSidToStringSidW, StartServiceW, CreateWellKnownSid
    > browseui.dll: -, -
    > dwmapi.dll: DwmIsCompositionEnabled, -, DwmSetWindowAttribute, DwmEnableBlurBehindWindow, DwmQueryThumbnailSourceSize, DwmGetColorizationColor, DwmUpdateThumbnailProperties, DwmRegisterThumbnail, DwmUnregisterThumbnail
    > gdi32.dll: GetStockObject, CombineRgn, GetLayout, CreatePatternBrush, OffsetViewportOrgEx, GdiAlphaBlend, GetTextExtentPoint32W, ExtTextOutW, SetWindowOrgEx, GetPixel, PatBlt, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, GetBkColor, CreateCompatibleBitmap, OffsetWindowOrgEx, SetBkColor, GetTextExtentPointW, GetClipBox, CreateDIBSection, CreateRectRgnIndirect, SetTextColor, SetBkMode, GetTextMetricsW, CreateFontIndirectW, CreateSolidBrush, GetObjectW, DeleteObject, CreateCompatibleDC, SelectObject, BitBlt, DeleteDC, GetDeviceCaps
    > gdiplus.dll: GdiplusShutdown, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdiplusStartup, GdipCreateFromHDC, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipGetImageHeight, GdipGetImageWidth, GdipDisposeImage, GdipLoadImageFromFileICM, GdipLoadImageFromFile, GdipDeleteGraphics, GdipFree, GdipAlloc, GdipSetCompositingMode
    > kernel32.dll: GetSystemTime, GetFileAttributesW, FindClose, FindNextFileW, FindFirstFileW, GetLocalTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, FlushInstructionCache, RaiseException, GetSystemWindowsDirectoryW, SetLastError, ReadFile, GetFileSize, CreateFileW, InterlockedCompareExchange, LoadLibraryA, SystemTimeToFileTime, ExpandEnvironmentStringsW, GlobalGetAtomNameW, MultiByteToWideChar, GetEnvironmentVariableW, GetCurrentProcessId, GetModuleHandleW, lstrlenW, OpenEventW, SetEvent, GetBinaryTypeW, EnterCriticalSection, LeaveCriticalSection, GetSystemTimeAsFileTime, CompareFileTime, GlobalFree, GetTickCount, MulDiv, GetUserDefaultLangID, GetPrivateProfileIntW, GetCurrentThread, GetThreadPriority, GetCurrentThreadId, SetThreadPriority, CompareStringOrdinal, lstrcmpiW, HeapSetInformation, SetErrorMode, CreateMutexW, ReleaseMutex, GetTimeZoneInformation, SetFilePointer, SetProcessShutdownParameters, GetSystemDirectoryW, CreateEventW, SetTermsrvAppInstallMode, RegisterApplicationRestart, ExitProcess, GetModuleFileNameW, GetPrivateProfileStringW, HeapDestroy, InitializeCriticalSection, DeleteCriticalSection, GetCurrentProcess, GetProcessHeap, HeapAlloc, QueryPerformanceFrequency, GetFileAttributesExW, QueueUserWorkItem, GetLongPathNameW, GetProcessTimes, TerminateThread, GetProcessId, CreateIoCompletionPort, GetQueuedCompletionStatus, GetWindowsDirectoryW, FormatMessageW, QueryFullProcessImageNameW, GlobalAlloc, DuplicateHandle, GetCurrentDirectoryW, WideCharToMultiByte, WriteFile, DeactivateActCtx, ActivateActCtx, ReleaseActCtx, CreateActCtxW, FindResourceExW, LoadResource, LockResource, GetUserDefaultUILanguage, LoadLibraryW, GetProcAddress, FreeLibrary, WaitForSingleObject, CreateProcessW, GetCommandLineW, GetStartupInfoW, CreateThread, AssignProcessToJobObject, ResumeThread, Sleep, QueryInformationJobObject, LocalAlloc, LocalFree, CloseHandle, OpenProcess, SetPriorityClass, GetPriorityClass, CreateJobObjectW, SetInformationJobObject, GetLastError, InterlockedDecrement, InterlockedIncrement, HeapFree, UnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, InterlockedExchange, VirtualAlloc, VirtualFree, DelayLoadFailureHook
    > msvcrt.dll: memset, _unlock, _ftol2_sse, _except_handler4_common, __set_app_type, memcpy, free, memmove, realloc, __dllonexit, _lock, _onexit, _terminate@@YAXXZ, _controlfp, _vsnwprintf, malloc, __wgetmainargs, _cexit, _exit, __p__fmode, _XcptFilter, exit, _wcmdln, _initterm, _amsg_exit, __setusermatherr, _adjust_fdiv, __p__commode
    > ntdll.dll: NtOpenThreadToken, NtOpenProcessToken, RtlGetProductInfo, NtQueryInformationToken, NtClose, NtQueryInformationProcess, NtSetInformationProcess, WinSqmAddToStream, NtSetSystemInformation
    > ole32.dll: CoTaskMemFree, CoCreateInstance, CoRegisterClassObject, CoRevokeClassObject, CoGetClassObject, OleInitialize, OleUninitialize, CoGetObject, StringFromGUID2, CoUninitialize, CoInitialize, RevokeDragDrop, RegisterDragDrop, CoRegisterMessageFilter, CoMarshalInterThreadInterfaceInStream, CoGetInterfaceAndReleaseStream, CoTaskMemAlloc, CoCreateFreeThreadedMarshaler, DoDragDrop, CoInitializeEx, CreateBindCtx, CoFreeUnusedLibraries, PropVariantClear
    > oleaut32.dll: -, -, -, -, -, -
    > powrprof.dll: GetPwrCapabilities
    > propsys.dll: PSGetPropertyKeyFromName, PSPropertyKeyFromString, PSGetPropertyDescription, PSGetNameFromPropertyKey, VariantToBooleanWithDefault, VariantToInt32WithDefault, VariantToStringWithDefault, PSCreateMemoryPropertyStore, VariantToStringAlloc, PropVariantToStringAlloc
    > rpcrt4.dll: RpcBindingFree, RpcStringFreeW, RpcBindingFromStringBindingW, NdrClientCall2, RpcStringBindingComposeW, I_RpcExceptionFilter, RpcBindingSetAuthInfoExW
    > shdocvw.dll: -, -
    > shell32.dll: -, -, -, -, -, -, -, -, SHGetDesktopFolder, -, SHBindToFolderIDListParent, -, -, -, -, -, -, SHGetIDListFromObject, -, -, -, -, -, -, SHCreateShellItemArrayFromIDLists, -, -, SHCreateItemFromIDList, SHCreateShellItemArrayFromShellItem, -, -, SHBindToFolderIDListParentEx, SHChangeNotify, SHAddToRecentDocs, DuplicateIcon, -, -, -, ShellExecuteW, -, -, SHGetPathFromIDListA, SHUpdateRecycleBinIcon, SHGetKnownFolderIDList, SHGetFolderPathEx, SHFileOperationW, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -, -, -, -, -, -, -, ExtractIconExW, -, -, -, -, SHGetSpecialFolderLocation, -, -, SHBindToParent, Shell_NotifyIconW, SHGetFolderPathAndSubDirW, Shell_GetCachedImageIndexW, SHGetFolderPathW, -, SHEvaluateSystemCommandTemplate, -, -, -, -, -, -, -, -, -, -, -, SHBindToObject, -, ShellExecuteExW, -, -, SHGetSpecialFolderPathW, -, SHParseDisplayName, -, SHGetFolderLocation, -, -, -, -, -
    > shlwapi.dll: PathGetDriveNumberW, -, -, PathRemoveFileSpecW, -, -, SHRegGetUSValueW, -, StrDupW, PathQuoteSpacesW, -, -, -, -, StrChrIW, -, -, -, SHRegOpenUSKeyW, SHRegQueryUSValueW, StrCmpW, AssocQueryStringW, -, -, -, -, -, AssocQueryKeyW, PathParseIconLocationW, PathIsPrefixW, -, PathRemoveExtensionW, SHOpenRegStream2W, PathFileExistsW, -, -, -, -, PathFindExtensionW, SHQueryInfoKeyW, -, -, -, -, -, -, -, -, SHDeleteKeyW, PathAppendW, SHDeleteValueW, -, -, -, PathRemoveArgsW, PathRemoveBlanksW, StrCmpNIW, PathFindFileNameW, -, SHSetValueW, SHGetValueW, SHCreateThreadRef, SHSetThreadRef, -, -, PathCombineW, SHRegGetValueW, StrToIntW, -, -, -, PathGetArgsW, StrChrW, -, -, -, -, SHStrDupW, -, -, -, -, -, StrRetToBufW, -, -, -, -, -, -, StrRetToStrW, -, -, StrStrIW, -, -, PathMatchSpecW, PathIsRootW, PathIsNetworkPathW, SHQueryValueExW, AssocCreate, StrCmpIW, -, -, -, StrCmpNW, -, -, StrPBrkW, -, -, -, PathStripToRootW, -, PathIsDirectoryW, -
    > slc.dll: SLGetWindowsInformationDWORD
    > user32.dll: GetDlgItem, LoadCursorW, RegisterClassW, IsChild, SetTimer, MonitorFromRect, SetWindowTextW, SetClassLongW, GetClassInfoW, GetClassLongW, KillTimer, GetClassInfoExW, IsWindowEnabled, GetShellWindow, GetIconInfo, SetScrollInfo, GetLastActivePopup, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, IsWindowVisible, IsWindow, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, BeginDeferWindowPos, DeferWindowPos, EndDeferWindowPos, SetFocus, SetForegroundWindow, LoadMenuW, SetMenuInfo, SetMenuDefaultItem, GetSubMenu, TrackPopupMenuEx, LoadImageW, InsertMenuItemW, DestroyIcon, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharUpperBuffW, PostQuitMessage, LoadStringW, ShutdownBlockReasonCreate, GetWindowLongA, SetWindowLongW, UnregisterDeviceNotification, RegisterDeviceNotificationW, RegisterWindowMessageW, SetWindowPos, RegisterClassExW, GetDesktopWindow, UpdateWindow, InvalidateRect, BeginPaint, LoadBitmapW, SetLayeredWindowAttributes, EndPaint, ShowWindow, DefWindowProcW, MoveWindow, DestroyWindow, UnregisterClassW, SetProcessDPIAware, PeekMessageW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, GetKeyboardLayout, ActivateKeyboardLayout, IsProcessDPIAware, PrintWindow, GetDCEx, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, GetDlgCtrlID, ChildWindowFromPointEx, GetCapture, GetGUIThreadInfo, SetWindowLongA, CharUpperW, GetWindowDC, RegisterClipboardFormatW, UnhookWinEvent, SetWinEventHook, ReleaseCapture, GetUserObjectInformationW, GetProcessWindowStation, FlashWindowEx, GetForegroundWindow, PostMessageW, CreatePopupMenu, GetWindowThreadProcessId, MsgWaitForMultipleObjectsEx, CharPrevW, CharNextW, DispatchMessageW, TranslateMessage, GetMessageW, EqualRect, UnionRect, MapWindowPoints, GetClientRect, EnumWindows, EndTask, SetThreadDesktop, GetThreadDesktop, GetMenuItemID, IsHungAppWindow, DrawTextW, GetSysColor, TrackPopupMenu, SendMessageCallbackW, DeregisterShellHookWindow, EndDialog, IsDlgButtonChecked, LoadIconW, GetSysColorBrush, CloseDesktop, OpenInputDesktop, SetActiveWindow, IsRectEmpty, GetAsyncKeyState, RegisterShellHookWindow, FillRect, GetCursorPos, SetPropW, CopyRect, LockSetForegroundWindow, MonitorFromPoint, InflateRect, GetClassNameW, SubtractRect, RedrawWindow, EnumDisplayMonitors, OffsetRect, IntersectRect, SetWindowRgn, GetMenuState, GhostWindowFromHungWindow, HungWindowFromGhostWindow, GetWindowPlacement, RemovePropW, SendMessageTimeoutW, UnregisterHotKey, RegisterHotKey, InsertMenuW, ModifyMenuW, ClientToScreen, ScreenToClient, GetMenuItemCount, GetFocus, GetScrollInfo, InternalGetWindowText, GetKeyState, ChangeDisplaySettingsW, GetWindowLongW, EnumChildWindows, SendMessageW, GetWindow, GetWindowRect, PtInRect, SetCursor, ChildWindowFromPoint, SetCursorPos, GetMessagePos, LoadAcceleratorsW, WaitMessage, TranslateAcceleratorW, GetWindowRgnBox, GetActiveWindow, MessageBeep, SetWindowPlacement, SetRect, SendNotifyMessageW, UpdateLayeredWindow, GetLastInputInfo, SendDlgItemMessageW, AllowSetForegroundWindow, RemoveMenu, SetParent, CallWindowProcW, EnableWindow, GetDlgItemInt, SetDlgItemInt, CheckDlgButton, CopyIcon, DrawFocusRect, NotifyWinEvent, ExitWindowsEx, DrawEdge, WindowFromPoint, GetDoubleClickTime, SetCapture, TrackMouseEvent, LockWorkStation, AppendMenuW, GetParent, SetScrollPos, SetRectEmpty, AdjustWindowRectEx, BringWindowToTop, CascadeWindows, GetSystemMetrics, SystemParametersInfoW, FindWindowW, ReleaseDC, GetDC, DestroyMenu, GetMenuDefaultItem, TileWindows, GetAncestor, SwitchToThisWindow, CheckMenuItem, ShowWindowAsync
    > uxtheme.dll: IsCompositionActive, IsAppThemed, GetThemeMargins, GetThemeRect, IsThemePartDefined, GetThemeBackgroundRegion, DrawThemeTextEx, GetThemeFont, GetThemeColor, GetThemeBool, GetThemeInt, SetWindowTheme, DrawThemeText, GetThemeTextExtent, DrawThemeBackground, CloseThemeData, OpenThemeData, DrawThemeParentBackground, GetThemePartSize, GetThemeMetric, GetThemeBackgroundContentRect

    ( 0 exports )

    TrID : File type identification
    Win32 Executable Generic (42.3%)
    Win32 Dynamic Link Library (generic) (37.6%)
    Generic Win/DOS Executable (9.9%)
    DOS Executable Generic (9.9%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
     
  11. Henleyz

    Henleyz TS Rookie Topic Starter Posts: 21

    Tried to post Virustotal results but pop up sait that the moderator had to approve? Any suggestions. Should I attach the results?
     
  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    I got them, thank you :)
     
  13. Henleyz

    Henleyz TS Rookie Topic Starter Posts: 21

    Finally was able to get Combofix to run properly. The log is attached.

    Thanks.
     

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    It doesn't look like you ran my script, because nothing got fixed.
    Please, retry.
     
  15. Henleyz

    Henleyz TS Rookie Topic Starter Posts: 21

    I re-ran and attached the ComboFix log file.
     

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Looks good :)

    Delete your GMER file, download fresh one and give me new log, please.
     
  17. Henleyz

    Henleyz TS Rookie Topic Starter Posts: 21

    GMER Log below. FYI, getting a few "corrupt file" notifications


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-05-30 20:00:18
    Windows 6.0.6002 Service Pack 2
    Running: 1n5dvb7r.exe; Driver: C:\Users\HCLAXT~1.NTE\AppData\Local\Temp\kfgoifow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp wpsdrvnt.sys
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Udp wpsdrvnt.sys
    AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  18. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Looks good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ===================================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.


    Download HijackThis:
    http://free.antivirus.com/hijackthis/
    by clicking on Installer under Version 2.0.4
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
  19. Henleyz

    Henleyz TS Rookie Topic Starter Posts: 21

    Combofix /Uninstall was not found by searching per the vista instructions.
     
  20. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Delete Combofix manually....
    Delete Combofix, Qoobox folders,and Combofix.txt file from C:
    Delete broni.com from your desktop
     
  21. Henleyz

    Henleyz TS Rookie Topic Starter Posts: 21

    ComboFix is removed manually.

    Ran Tmep File Cleaner

    Ran Kaspersky - Nothing found, nothing to report

    Attempted to run/install Hijack This. However it will not install. It is calculating the disc space needed for the installation, incorrectly. See attached snapshot.
     

    Attached Files:

  22. Broni

    Broni Malware Annihilator Posts: 52,898   +344

  23. Henleyz

    Henleyz TS Rookie Topic Starter Posts: 21

    Hijack This Log

    ogfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:56:44 PM, on 5/31/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
    C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe
    C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
    C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    C:\Program Files\Citrix\GoToMeeting\366\g2mcomm.exe
    C:\Program Files\Citrix\GoToMeeting\366\g2mlauncher.exe
    C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
    C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
    O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
    O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe "/Trigger RunAtLogon"
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: SnagIt 9.lnk = C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ntech.local
    O17 - HKLM\Software\..\Telephony: DomainName = ntech.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ntech.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ntech.local
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
    O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
    O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
     
  24. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  25. Henleyz

    Henleyz TS Rookie Topic Starter Posts: 21

    Reset restore point

    Downloaded MS updates and installed. Now the system is in a reboot loop attempting to complete the instalation. "Configuring Updates: Stage 3 of 3 - 0%", then it roboots and gets to the same spot before rebooting again. Any sugestions?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...