Inactive System Check malware trouble

Status
Not open for further replies.

BlackMita

Posts: 6   +0
Hello. I came across these forums shortly after googling the System Check malware which effected my computer today.

I first noticed half of my desktop icons were missing, whilst the rest were faded black. A few minutes later I got the fake hard drive failure notifications, the 20-something error pop-ups, and the System Check window itself. I suspected it was malware when all my desktop items disappeared, and all my folders/icons were faded white (like when you hide it). So I rebooted.

After rebooting none of folders/icons showed up, even in the start menu. This was when I actually googled these symptoms and found this forum.

I followed the 5 Step Preliminary removal instructions.

The only thing I did that wasn't exactly as instructed was schedule a boot scan with avast. This was recommended on another forum when the full scan takes too long (it was at 0% for almost 30 minutes). It seemed to work, though it still took almost 5 hours of scanning (before Vista even booted to desktop).

Once I had avast running, and finished the MBAM instructions (it gave me the restart prompt and I clicked yes) the System Check pop ups, error pop ups, and hard drive notifications all stopped. All folders/icons still not displaying though.

I guess the logs will say more, but all the other steps went smoothly as far as I can tell, so I'll just get to posting them. The only obvious problem I'm having now is a laptop with no folder/icons/navigation and the prospect that this malware (or possibly others) is still on my PC but not showing symptoms for now.

_______________________________


Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.01.30.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 7.0.6002.18005
Home :: TW-LAPTOP [administrator]

Protection: Enabled

1/30/2012 8:23:17 PM
mbam-log-2012-01-30 (20-23-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 291162
Time elapsed: 1 hour(s), 35 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Windows\System32\config\systemprofile\AppData\Roaming\Adobe\sp.DLL (Trojan.Proxy) -> Delete on reboot.

Registry Keys Detected: 4
HKCR\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (Trojan.Proxy) -> Quarantined and deleted successfully.
HKCR\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKLM\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (Trojan.Proxy) -> Data: sp -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost|netsvc (TrojanProxy.Agent) -> Data: SPService^^ -> Quarantined and deleted successfully.

Registry Data Items Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCR\regfile\shell\open\command| (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Windows\System32\config\systemprofile\AppData\Roaming\Adobe\sp.DLL (Trojan.Proxy) -> Delete on reboot.
C:\ProgramData\z4v2cJQ896Eamm.exe (Trojan.FakeHDD) -> Quarantined and deleted successfully.
C:\Users\Home\Downloads\SoftonicDownloader_for_windows-vista-service-pack-2.exe (PUP.BundleOffer.Downloader.S) -> Quarantined and deleted successfully.
C:\Users\Home\Downloads\DPL_ColorKeyMulti_Effects_Installer.exe (Adware.Onlinegames) -> Quarantined and deleted successfully.
C:\Users\Home\Downloads\DPL_ColorShift_Effects_Installer.exe (Adware.Onlinegames) -> Quarantined and deleted successfully.
C:\Users\Home\Downloads\DPL_OverlayT_Effects_Installer.exe (Adware.Onlinegames) -> Quarantined and deleted successfully.

(end)
 
gmer.log

________________


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-30 22:21:42
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.LB01
Running: 3jrz0ok6.exe; Driver: C:\Users\Home\AppData\Local\Temp\kwldrpod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9369A7A2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84E1F1F8
Device \Driver\iaStor \Device\Ide\iaStor0 [8824CD30] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 84E1F1F8
Device \Driver\atapi \Device\Ide\IdePort1 84E1F1F8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8824CD30] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\amj0vttn \Device\Scsi\amj0vttn1 869621F8
Device \Driver\amj0vttn \Device\Scsi\amj0vttn1Port4Path0Target0Lun0 869621F8
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Ntfs \Ntfs 84E211F8

AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Process (*** hidden *** ) 5452

---- EOF - GMER 1.0.15 ----
 
DDS.txt

____________

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_26
Run by Home at 22:29:10 on 2012-01-30
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2046.967 [GMT -5:00]
.
AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\InstantEyedropper\InstantEyedropper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [windrivers] wscript "c:\users\home\appdata\local\temp\windrivers.js"
uRun: [instanteyedropper] "c:\program files\instanteyedropper\InstantEyedropper.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [HWSetup] \HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [NDSTray.exe] NDSTray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Skytel] Skytel.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [Joystick 2 Mouse] c:\program files\joystick 2 mouse 3\Joystick 2 Mouse.exe /NoConfigure
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [NPSStartup]
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
StartupFolder: c:\users\home\appdata\roaming\micros~1\windows\startm~1\programs\startup\capsun~1.lnk - c:\program files\capsunlock\CapsUnlock.exe
StartupFolder: c:\users\home\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\users\home\appdata\roaming\micros~1\windows\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 64.71.255.198
TCP: Interfaces\{53EDBA1B-E333-4612-98D7-50EB97FE9D02} : DhcpNameServer = 64.71.255.198
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\home\appdata\roaming\mozilla\firefox\profiles\ab0j627a.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Users/Home/Documents/Text%20Documents/Learning%20HTML/BlackMita%27s%20Page/index.html
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=2&q=
FF - component: c:\program files\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\home\appdata\roaming\mozilla\firefox\profiles\ab0j627a.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll
FF - plugin: c:\users\home\program files\dna\plugins\npbtdna.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: YoYo Games InstantPlay: yyginstantplay@yoyogames.com - %profile%\extensions\yyginstantplay@yoyogames.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Adblock Plus Pop-up Addon: adblockpopups@jessehakanen.net - %profile%\extensions\adblockpopups@jessehakanen.net
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
FF - Ext: XULRunner: {88099242-E005-4E07-8B9F-3537B2DD2F32} - c:\users\home\appdata\local\{88099242-E005-4E07-8B9F-3537B2DD2F32}
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc -
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-1-30 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-1-30 314456]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090923.001\IDSvix86.sys [2009-9-25 272432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-1-30 20568]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-1-30 55128]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-1-30 44768]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-26 21504]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2012-1-27 238952]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-10-31 149352]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-30 652360]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2012-1-27 36608]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-30 20464]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [2011-9-11 52312]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-10-20 1153368]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-7-1 34896]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [2012-1-27 98560]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [2012-1-27 14848]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [2012-1-27 123648]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-10-17 1245064]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-31 01:22:09 -------- d-----w- c:\users\home\appdata\roaming\Malwarebytes
2012-01-31 01:21:58 -------- d-----w- c:\programdata\Malwarebytes
2012-01-31 01:21:57 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-31 01:21:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-30 18:17:48 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-30 18:17:46 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-01-30 18:17:06 41184 ----a-w- c:\windows\avastSS.scr
2012-01-30 18:16:32 -------- d-----w- c:\programdata\AVAST Software
2012-01-30 18:16:32 -------- d-----w- c:\program files\AVAST Software
2012-01-27 18:51:31 14848 ---ha-w- c:\windows\system32\drivers\sscemdfl.sys
2012-01-27 18:51:31 123648 ---ha-w- c:\windows\system32\drivers\sscemdm.sys
2012-01-27 18:51:31 12288 ---ha-w- c:\windows\system32\drivers\sscewhnt.sys
2012-01-27 18:51:31 12288 ---ha-w- c:\windows\system32\drivers\sscewh.sys
2012-01-27 18:51:30 98560 ---ha-w- c:\windows\system32\drivers\sscebus.sys
2012-01-27 18:51:30 12416 ---ha-w- c:\windows\system32\drivers\sscecmnt.sys
2012-01-27 18:51:30 12416 ---ha-w- c:\windows\system32\drivers\sscecm.sys
2012-01-27 18:49:31 36608 ---ha-w- c:\windows\system32\FsUsbExDisk.Sys
2012-01-27 18:49:31 238952 ---ha-w- c:\windows\system32\FsUsbExService.Exe
2012-01-27 18:49:31 110592 ---ha-w- c:\windows\system32\FsUsbExDevice.Dll
2012-01-27 18:48:31 -------- d--h--w- c:\users\home\appdata\roaming\Samsung
2012-01-27 18:47:51 -------- d--h--w- c:\program files\MarkAny
2012-01-27 18:46:53 -------- d--h--w- c:\program files\Samsung
2012-01-27 18:44:41 -------- d--h--w- c:\programdata\Samsung
2012-01-27 05:00:15 111616 ---ha-w- c:\programdata\CgL22CaH.exe
2012-01-26 02:00:44 -------- d--h--w- c:\programdata\RegCure
2012-01-17 22:17:26 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-17 22:17:26 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-17 22:17:25 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-17 22:17:25 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-17 22:17:25 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-17 22:17:25 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-15 16:46:37 83249512 ---ha-w- c:\program files\common files\windows live\.cache\wlcBE42.tmp
2012-01-15 16:37:54 -------- d--h--w- c:\users\home\Tracing
2012-01-12 04:35:24 -------- d--h--w- c:\windows\system32\Adobe
2012-01-11 08:21:59 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 08:21:59 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 08:21:51 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 08:21:43 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 08:21:39 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 08:21:26 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-01-11 08:20:19 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 08:20:19 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-10 13:39:34 6823496 ---ha-w- c:\programdata\microsoft\windows defender\definition updates\{857b324c-96be-4fd4-a7e6-5628aca654b5}\mpengine.dll
.
==================== Find3M ====================
.
2012-01-25 01:53:42 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-04 14:54:57 1383424 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 22:33:14.79 ===============
 
Attach.txt

_____________


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 10/17/2008 5:00:13 AM
System Uptime: 1/30/2012 10:05:25 PM (0 hours ago)
.
Motherboard: TOSHIBA | | ISKAA
Processor: Intel(R) Core(TM)2 Duo CPU T5450 @ 1.66GHz | U2E1

| 1667/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 180 GiB total, 11.575 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0005
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #4
PNP Device ID: ROOT\*6TO4MP\0005
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0008
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #6
PNP Device ID: ROOT\*6TO4MP\0008
Service: tunnel
.
Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}
Description: Total Recorder WDM audio driver
Device ID: ROOT\*TOTREC7\0000
Manufacturer: High Criteria
Name: Total Recorder WDM audio driver
PNP Device ID: ROOT\*TOTREC7\0000
Service: TotRec7
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
AAC Decoder
AC3Filter 1.63b
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9
Adobe Setup
Adobe Shockwave Player 11.6
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
ALPS Touch Pad Driver
Any to Icon
AppCore
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
ASIO4ALL
ATI Catalyst Install Manager
AutoUpdate
avast! Free Antivirus
Backup
BitComet 1.05
Bonjour
Camera Assistant Software for Toshiba
CamStudio
CamStudio Lossless Codec
Canon DIGITAL CAMERA Solution Disk Software Guide
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Navigator EX 1.0
Canon PowerShot A800 Camera User Guide
Canon Utilities CameraWindow DC 8
Canon Utilities CameraWindow Launcher
Canon Utilities Movie Uploader for YouTube
Canon Utilities MyCamera
Canon Utilities PhotoStitch
Canon Utilities Solution Menu
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CanoScan LiDE 90
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
ccCommon
CD/DVD Drive Acoustic Silencer
CDisplay 1.8
Collab
Command & Conquer Red Alert 2
Command && Conquer Red Alert 2 - Yuri's Revenge
Counter-Strike: Source
Counter-Strike: Source Beta
DAEMON Tools Toolbar
Debut Video Capture Software
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DNA
Driver Detective
DVD MovieFactory for TOSHIBA
Eraser 6.0.7.1893
FinalAlert 2 Yuri's Revenge
FL Studio 9
Freecorder 5
FTP Explorer
FullRA Plus V3.03
Game Maker 7.0
Game Maker 8.0
GameMaker 8.1
Garry's Mod
GCFScape 1.8.1
GearDrvs
GraphicsGale FreeEdition version 1.93.12
H.264 Decoder
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
Hardcore
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Officejet 6500 E710a-f Basic Device Software
HP Officejet 6500 E710a-f Help
HP Officejet 6500 E710a-f Product Improvement Study
HP Update
HyperCam 2
I.R.I.S. OCR
IL Download Manager
Instant Eyedropper 1.75
Intel Matrix Storage Manager
Intel(R) PROSet/Wireless Software
iTunes
Java(TM) 6 Update 22
Java(TM) 6 Update 26
Java(TM) SE Runtime Environment 6
Kali II
KeyText v3
LAME v3.98.2 for Audacity
LiveUpdate (Symantec Corporation)
Logitech Gaming Software 5.10
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Male Voice Pack
Malwarebytes Anti-Malware version 1.60.1.1000
ManyCam 2.5.74 (remove only)
Marketsplash Shortcuts
mCore
mHelp
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft GIF Animator
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft XML Parser
Minecraft 1.2.0_02
MKV Splitter
mMHouse
Mozilla Firefox (3.6.3)
mPfMgr
MSVCRT
MSVCRT Redists
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
NVIDIA Photoshop Plug-ins
OnlinePlay 1.0
OpenOffice.org 3.3
PDF Settings
Plants vs. Zombies
Pokemon Online 1.0.23
Portal
Presto! PageManager 7.15.16
Prism Video File Converter
Project64 1.6
QuickTime
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver

for Windows Vista
Realtek High Definition Audio Driver
RehanFX Shader Transitions and Effects (ShaderTFX)
reminder
Sakura
Samsung New PC Studio
SAMSUNG USB Driver for Mobile Phones
Sawer
ScanSoft OmniPage SE 4
SCWebCam3
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile

(KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile

(KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile

(KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile

(KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile

(KB2656351)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Silent Hill
Skins
Source SDK
Source SDK Base 2007
SPBBC 32bit
Spybot - Search & Destroy
SRWare Iron 15.0.900.0
Steam
swMSM
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
Synaptics Pointing Device Driver
System Requirements Lab
Team Fortress 2
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Flash Cards Support Utility
TOSHIBA Hardware Setup
TOSHIBA Recovery Disc Creator
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Toxic Biohazard
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Utility Common Driver
VC80CRTRedist - 8.0.50727.762
Vegas Pro 10.0
VLC media player 1.0.5
VTFEdit 1.2.5
Westwood Shared Internet Components
Winamp
Winamp Detector Plug-in
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Upload Tool
Windows Media Encoder 9 Series
WinPcap 4.1.2
WinRAR archiver
WordWeb
WorldsPlayer by Worlds.com
.
==== End Of File ===========================
 
Welcome to TechSpot! I'll help with the malware. But we need to do some housekeeping first:

Run the following to help restore the missing icons, programs, etc. We will handle the other cosmetic problems later:

Download Unhide.exe and save to the desktop.
  • Double-click on Unhide.exe icon to run the program.
  • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
Note1 This does not remove the malware- only the attribute hiding these features, so it's important to continue.
Note 2: If you are infected with System Check it is important that you do not delete any files from your Temp folder or use any temp file cleaners
==================================
Reset your browser proxies
  • For Firefox:
    o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
    o Click on the "Network" tab, and then on the "Settings" button.
    o Please make sure that the "No Proxy" option is selected.
  • For Internet Explorer:
    o Open Internet Explorer.
    o Click on "Tools" and then select "Internet Options".
    o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
    o Uncheck "Use a Proxy server for your LAN".
    o Click Ok to close the Local Area Network (LAN) Settings window.
    o Click Ok to close the Internet Options window.
=====================================
1. You are running 2 antivirus programs. You had Norton 360 and then you installed Avast on 1/30. Please remove one of them. Reboot the computer when through.

2. Please uninstall Bit Comet/Bit Comet Helper while I am helping you- otherwise it's a matter of removing malware out the front door, but it comes right back in through the back door.

3. Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download.

Also, open Firefox> Tools> Extensions> remove all outdated versions of Java. You will have malware in the Java cache which I will remove later.
==============================================
Please remove whatever programs you used previously and use the links I give you:

Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Expect these- they are normal:
1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
2. Before you run the Combofix scan, please disable any security software you have running.
3. Combofix may need to reboot your computer more than once to do its job this is normal.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    cf-icon.jpg
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    • The Recovery Console was successfully installed.[/b]
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • .Close/disable all anti virus and anti malware programs
    (If you need help with this, please see HERE)
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=================================
After I review the Combofix log, I will continue with the appropriate programs for you to run.
=================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.

If I haven't replied back to you within 48 hours, you can send a PMwith your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
Threads are closed after 5 days if there is no reply.
================================
Please leave the Combofix log in your next reply.
 
OK things started great initially, but then went completely downhill due to one specific choice I shouldn't have made, even though it was still following your instructions.

I installed Unhide.exe and it worked perfectly. I also reset Firefox browser proxies ("No proxy" was already the default). The part where I had to remove one of my anti-virus programs is where I should have stopped:

I don't actually have Norton working. It's been sitting on my PC for almost 3 years doing nothing. The subscription ran out, but I've never even been able to un-install it! But I tried to again anyway, because I didn't want to have to remove Avast, which was actually doing it's job and running.

Trying to un-install Norton from the installed programs list just yields a pop up saying Norton LiveUpdate (or something) is in use and that I have to close that first to do the un-install... which is impossible because you can't do ANYTHING with a dead Norton but pay to reactivate it. Worth mentioning that Norton LiveUpdate isn't on the un-install list.

So I made the choice to un-install Avast (basically my only virus protection) which prompted me to reboot.

I then un-installed BitComet and anything Java from the list, then re-installed the latest Java successfully (mind you this is all happening without virus protection now). When I went to remove Java related Firefox extensions, all the uninstall buttons were grayed out, but the disable buttons were not, so I just disabled them all.

Finally I downloaded ComboFix; ran it, and hit agree to the first prompt. The window then closed, nothing happened for about 3 minutes, then the blue screen finally appeared and closed my browser about a minute later... and then basically did nothing for 3 hours (meanwhile it says it'll only take 10-20 minutes). Really??

Sometime during the last hour of just not wanting to touch ComboFix as it took its sweet time, I noticed some of my desktop icons had dissappeared again, and a "System Check" icon had appeared.

I had to close ComboFix at this point, because I wanted to post this... but couldn't. Everytime I tried to open firefox, it said "it was already running and needed to be closed". So I rebooted, but it still said this. So I tried Internet Explorer, which simply wouldn't load at all.

I'm now posting this from Safe mode with network in Firefox (finally working). I'm willing to do everything over (the 5 preliminary steps and a new thread) so long as I don't have to get rid of Avast during the clean up (it seems to have been the only thing actually suppressing all the problems!)

The problem now is this would mean contradicting your instructions further: re-installing Avast. Should I get Avast again, and re-install it right now? (through Safe mode with networking; which is the only way I can even browse the internet now)
 
A lot of words there! I'll cut to the chase:

Get an antivirus on the system now! Go ahead and put Avast back on> now.

For Norton: Try booting into Safe Mode with Networking- the security program won't be running. The use the Norton Uninstaller:
Norton Removal Tool
I can remove left over processes with script in Combofix if needed. I haven't done that yet, because it could 'break' the uninstaller, so it's best to remove it all at once.

IF the remover won't work, you can try removing it using the following- again, you may need to be in Safe Mode with Networking:

Download AppRemover and save to the desktop
  1. Double click the setup on the desktop> click Next
  2. Select “Remove Security Application”
  3. Let scan finish to determine security apps
  4. A screen like below will appear:
    image_preview
  5. Click on Next after choice has been made
  6. Check the Norton program you want to uninstall
  7. After uninstall shows complete, follow online prompts to Exit the program.

You will need to reboot to complete the uninstall.

Let me know.

Many users think if they don't renew a subscription and ignore a program, it will just go away! But not so> processes are still loading for it. The update won't be current but the processes will run anyway
===============================
"Java related Firefox extensions, all the uninstall buttons were grayed out">> this can happen if you're not signed on to the Administrative Account. Disabled is okay for now.
=============================
If would be best if you can get Combofix to run as it will remove some of the System Check processes:
NOTE: If, for some reason, Combofix refuses to run, try one of the following:
First> Try to run Combofix from Safe Mode. If it doesn't scan, go to next step.

Second: Delete Combofix file, download fresh one, but rename combofix.exe to
friday.exe BEFORE saving it to your desktop.
Do NOT run it yet.
-------------------------------------
Third: Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 3 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
  • Rkill.com
  • Rkill.scr
  • Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Rkill instructions
Once you've gotten one of them to run
  • immediately double click on friday.exe to run Combofix
    -----------------------------
    If Combofix still won't run, add the following:

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
  • If normal mode still doesn't work, run BOTH tools from safe mode.

Summary: Try Combofix scan in Safe Mode first.
If it won't scan, delete then reinstall Combofix renaming before download.
Run RKill then try Combofix
Add exehelper if needed

If needed, run all 3 programs in Safe Mode.
 
Avast is back on.

Tried running ComboFix in normal mode, but it never got to blue screen. So I deleted ComboFix, and re-downloaded it to desktop as Friday.exe then downloaded rkill and ran that (it seemed to work) then quickly ran Friday. Avast kept interrupting rkill, and I had to tell Avast to ignore over and over. Decided to try this again in safe mode (running rkill then Friday w/out having to disable Avast) and it got to blue screen this time.

I then got a window saying "pev.3XE has stopped working and needs to be closed" which when pressed, makes a ComboFix window appear saying "disk root activity detected; must now reboot" where hitting OK reboots it (and to normal mode without asking...)

Back in normal mode, ComboFix still does nothing, so I downloaded exehelper and ran all 3 (exehelper --> rkill --> Friday) but Avast interrupts again, so I reboot to safe mode and ran all 3 (exehelper --> rkill --> Friday) getting to ComboFix blue screen without interruption.


exehelperlog

__________________________


exeHelper by Raktor
Build 20100414
Run at 08:34:36 on 02/01/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100414
Run at 08:39:22 on 02/01/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100414
Run at 08:50:01 on 02/01/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

__________________________


During ComboFix scan, I get this message, about 40 seconds into blue screen:

You are infected with RootKit.Zero Access! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection.

If for any reason you are unable to connect to the internet after running ComboFix, reboot once more and see if that fixes it.

If its not fixed, run ComboFix on more time.

This message only had an OK button, which I clicked. From there ComboFix just stays at blue screen. pev.3XE prompt appeared again, but I didn't touch it, to give Combo more time... but ended up closing about 90 mins later to reply here.

ComboFix has yet to produce any logs (or complete a scan I guess).

P.S: I managed to remove Norton (without using AppRemover) by un-installing in safe mode, well before I first ran Friday.

I really appreciate your help. My PC seems at least usable again, for the moment, so I won't run/do anything that isn't your instructions.
 
so long as I don't have to get rid of Avast during the clean up (it seems to have been the only thing actually suppressing all the problems!)

Think about the above for minute> if Avast is going to 'suppress' all the malware entries, how are we going to find them to remove? Or how will a scan remove them. The reason you run RKill is to stop those entries from running long enough to find and remove them. That's why you don't reboot after running it>> because the malware would start again.
=====================================
We're going to do some housekeeping:

DeFogger CD Emulation: I see Damon Lite. IF you have any others of this type, please include them. You can reverse the process when we're finished.

To disable CD Emulation programs using DeFogger please perform these steps:
  1. . Please download DeFogger to your desktop.
  2. . Double-click on the DeFogger icon to start the tool.
  3. . The application window will> appear> click on the Disable button to disable your CD Emulation drivers
  4. . At prompt to continue> click on the Yes button to continue
  5. . When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
---------------------------
The following can be done when we're finished:
To enable CD Emulation programs using DeFogger please perform these steps:
  1. . Please download DeFogger to your desktop.
  2. . Once downloaded, double-click on the DeFogger icon to start the tool.
  3. . The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. . When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. . When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. . If CD Emulation programs are present and have been enabled,

DeFogger will now ask you to reboot the machine. Please allow it to do so
by clicking on the OK button.
=======================================
Disable Tea Timer:
  • Right click the TeaTimer icon in the system Tray
    MHoTT005.gif
  • Then click Exit Spybot-S&D Resident
  • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe
======================================
Please disable or uninstall the following:
"c:\program files\instanteyedropper\InstantEyedropper.exe"
There have been some issues while interacting with the application. The system tray icon did not respond the same way overtime when clicked. At times, the icon had to be depressed continually to enable the pixel magnifier.
=====================================
Please disable or uninstall the following:
C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
Description: Toshiba utility that allows you to change various hardware settings on your computer.
===================================
Please remove this from the Startup menu:
[MSConfig] "c:\windows\system32\msconfig.exe" /auto>> It means you are booting up using msconfig to control some aspect of what is being loaded at startup.
=================================
Please disable from Startup:
[Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
=================================
We need this to be a stable system, where you can run scans and produce logs that won't change every time you reboot. You have so many of these programs running it won't be possible to get a reliable scan.
=================================
When all of the above has been handled, please run the following:
  • Download OTL from one of the links below and save it to your desktop.
    OTL.exe
    OTL.com
    OTL.scr
    You just need one. Sometimes the file extension gets blocked.

    Note: When using these links, use Internet Explorer to download. If using Firefox, you should right-click and use "Save link As". Otherwise, on some systems, FF attempts to open the file as a script and just a bunch of gibberish is displayed.
  • Double click the OTL icon to run it.
    OTL_icon.gif
  • The opened console will resemble this:
    OTLv3.1.5.0.gif
  • Set Output at the top to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Copy the entries in the Codebox below> Paste in the Custom Scan box.
    Code:
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    userinit.exe
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    Make sure all other windows are closed and to let it run uninterrupted.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
=====================================
Please post the 2 logs from OTL in your next reply.
 
Status
Not open for further replies.
Back