System Check malware trouble

By BlackMita · 8 replies
Jan 30, 2012
  1. Hello. I came across these forums shortly after googling the System Check malware which effected my computer today.

    I first noticed half of my desktop icons were missing, whilst the rest were faded black. A few minutes later I got the fake hard drive failure notifications, the 20-something error pop-ups, and the System Check window itself. I suspected it was malware when all my desktop items disappeared, and all my folders/icons were faded white (like when you hide it). So I rebooted.

    After rebooting none of folders/icons showed up, even in the start menu. This was when I actually googled these symptoms and found this forum.

    I followed the 5 Step Preliminary removal instructions.

    The only thing I did that wasn't exactly as instructed was schedule a boot scan with avast. This was recommended on another forum when the full scan takes too long (it was at 0% for almost 30 minutes). It seemed to work, though it still took almost 5 hours of scanning (before Vista even booted to desktop).

    Once I had avast running, and finished the MBAM instructions (it gave me the restart prompt and I clicked yes) the System Check pop ups, error pop ups, and hard drive notifications all stopped. All folders/icons still not displaying though.

    I guess the logs will say more, but all the other steps went smoothly as far as I can tell, so I'll just get to posting them. The only obvious problem I'm having now is a laptop with no folder/icons/navigation and the prospect that this malware (or possibly others) is still on my PC but not showing symptoms for now.


    Malwarebytes Anti-Malware (Trial)

    Database version: v2012.01.30.04

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 7.0.6002.18005
    Home :: TW-LAPTOP [administrator]

    Protection: Enabled

    1/30/2012 8:23:17 PM
    mbam-log-2012-01-30 (20-23-17).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 291162
    Time elapsed: 1 hour(s), 35 minute(s), 42 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 1
    C:\Windows\System32\config\systemprofile\AppData\Roaming\Adobe\sp.DLL (Trojan.Proxy) -> Delete on reboot.

    Registry Keys Detected: 4
    HKCR\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (Trojan.Proxy) -> Quarantined and deleted successfully.
    HKCR\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
    HKLM\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> Quarantined and deleted successfully.

    Registry Values Detected: 3
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (Trojan.Proxy) -> Data: sp -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost|netsvc (TrojanProxy.Agent) -> Data: SPService^^ -> Quarantined and deleted successfully.

    Registry Data Items Detected: 3
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCR\regfile\shell\open\command| (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 6
    C:\Windows\System32\config\systemprofile\AppData\Roaming\Adobe\sp.DLL (Trojan.Proxy) -> Delete on reboot.
    C:\ProgramData\z4v2cJQ896Eamm.exe (Trojan.FakeHDD) -> Quarantined and deleted successfully.
    C:\Users\Home\Downloads\SoftonicDownloader_for_windows-vista-service-pack-2.exe (PUP.BundleOffer.Downloader.S) -> Quarantined and deleted successfully.
    C:\Users\Home\Downloads\DPL_ColorKeyMulti_Effects_Installer.exe (Adware.Onlinegames) -> Quarantined and deleted successfully.
    C:\Users\Home\Downloads\DPL_ColorShift_Effects_Installer.exe (Adware.Onlinegames) -> Quarantined and deleted successfully.
    C:\Users\Home\Downloads\DPL_OverlayT_Effects_Installer.exe (Adware.Onlinegames) -> Quarantined and deleted successfully.

  2. BlackMita

    BlackMita TS Rookie Topic Starter



    GMER -
    Rootkit quick scan 2012-01-30 22:21:42
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.LB01
    Running: 3jrz0ok6.exe; Driver: C:\Users\Home\AppData\Local\Temp\kwldrpod.sys

    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9369A7A2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84E1F1F8
    Device \Driver\iaStor \Device\Ide\iaStor0 [8824CD30] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 84E1F1F8
    Device \Driver\atapi \Device\Ide\IdePort1 84E1F1F8
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8824CD30] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\amj0vttn \Device\Scsi\amj0vttn1 869621F8
    Device \Driver\amj0vttn \Device\Scsi\amj0vttn1Port4Path0Target0Lun0 869621F8
    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\Ntfs \Ntfs 84E211F8

    AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- Processes - GMER 1.0.15 ----

    Process (*** hidden *** ) 5452

    ---- EOF - GMER 1.0.15 ----
  3. BlackMita

    BlackMita TS Rookie Topic Starter



    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_26
    Run by Home at 22:29:10 on 2012-01-30
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2046.967 [GMT -5:00]
    AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    ============== Running Processes ===============
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    C:\Program Files\ltmoh\ltmoh.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
    C:\Program Files\Eraser\Eraser.exe
    C:\Program Files\Logitech\Gaming Software\LWEMon.exe
    C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\InstantEyedropper\InstantEyedropper.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    ============== Pseudo HJT Report ===============
    uStart Page = hxxp://
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
    TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Steam] "c:\program files\steam\steam.exe" -silent
    uRun: [windrivers] wscript "c:\users\home\appdata\local\temp\windrivers.js"
    uRun: [instanteyedropper] "c:\program files\instanteyedropper\InstantEyedropper.exe"
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
    mRun: [HWSetup] \HWSetup.exe hwSetUP
    mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
    mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Skytel] Skytel.exe
    mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
    mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
    mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
    mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
    mRun: [Joystick 2 Mouse] c:\program files\joystick 2 mouse 3\Joystick 2 Mouse.exe /NoConfigure
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
    mRun: [NPSStartup]
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
    dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
    StartupFolder: c:\users\home\appdata\roaming\micros~1\windows\startm~1\programs\startup\capsun~1.lnk - c:\program files\capsunlock\CapsUnlock.exe
    StartupFolder: c:\users\home\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\ 3\program\quickstart.exe
    StartupFolder: c:\users\home\appdata\roaming\micros~1\windows\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
    IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
    IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: mswsock.dll
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://
    TCP: DhcpNameServer =
    TCP: Interfaces\{53EDBA1B-E333-4612-98D7-50EB97FE9D02} : DhcpNameServer =
    Notify: igfxcui - igfxdev.dll
    ================= FIREFOX ===================
    FF - ProfilePath - c:\users\home\appdata\roaming\mozilla\firefox\profiles\ab0j627a.default\
    FF - prefs.js: browser.startup.homepage - file:///C:/Users/Home/Documents/Text%20Documents/Learning%20HTML/BlackMita%27s%20Page/index.html
    FF - prefs.js: keyword.URL - hxxp://
    FF - component: c:\program files\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
    FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
    FF - plugin: c:\users\home\appdata\roaming\mozilla\firefox\profiles\ab0j627a.default\extensions\\plugins\NPYYGInstantPlay.dll
    FF - plugin: c:\users\home\program files\dna\plugins\npbtdna.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: YoYo Games InstantPlay: - %profile%\extensions\
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Adblock Plus Pop-up Addon: - %profile%\extensions\
    FF - Ext: Firebug: - %profile%\extensions\
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\\framework\v3.5\windows presentation

    FF - Ext: avast! WebRep: - c:\program files\avast software\avast\webrep\FF
    FF - Ext: XULRunner: {88099242-E005-4E07-8B9F-3537B2DD2F32} - c:\users\home\appdata\local\{88099242-E005-4E07-8B9F-3537B2DD2F32}
    ---- FIREFOX POLICIES ----
    FF - user.js: general.useragent.extra.brc -
    ============= SERVICES / DRIVERS ===============
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-1-30 435032]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-1-30 314456]
    R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090923.001\IDSvix86.sys [2009-9-25 272432]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-1-30 20568]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-1-30 55128]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-1-30 44768]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-26 21504]
    R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2012-1-27 238952]
    R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-10-31 149352]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-30 652360]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
    R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2012-1-27 36608]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-30 20464]
    R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [2011-9-11 52312]
    R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-10-20 1153368]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
    S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-7-1 34896]
    S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [2012-1-27 98560]
    S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [2012-1-27 14848]
    S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [2012-1-27 123648]
    S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-10-17 1245064]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    =============== Created Last 30 ================
    2012-01-31 01:22:09 -------- d-----w- c:\users\home\appdata\roaming\Malwarebytes
    2012-01-31 01:21:58 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-31 01:21:57 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-31 01:21:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-30 18:17:48 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-01-30 18:17:46 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-01-30 18:17:06 41184 ----a-w- c:\windows\avastSS.scr
    2012-01-30 18:16:32 -------- d-----w- c:\programdata\AVAST Software
    2012-01-30 18:16:32 -------- d-----w- c:\program files\AVAST Software
    2012-01-27 18:51:31 14848 ---ha-w- c:\windows\system32\drivers\sscemdfl.sys
    2012-01-27 18:51:31 123648 ---ha-w- c:\windows\system32\drivers\sscemdm.sys
    2012-01-27 18:51:31 12288 ---ha-w- c:\windows\system32\drivers\sscewhnt.sys
    2012-01-27 18:51:31 12288 ---ha-w- c:\windows\system32\drivers\sscewh.sys
    2012-01-27 18:51:30 98560 ---ha-w- c:\windows\system32\drivers\sscebus.sys
    2012-01-27 18:51:30 12416 ---ha-w- c:\windows\system32\drivers\sscecmnt.sys
    2012-01-27 18:51:30 12416 ---ha-w- c:\windows\system32\drivers\sscecm.sys
    2012-01-27 18:49:31 36608 ---ha-w- c:\windows\system32\FsUsbExDisk.Sys
    2012-01-27 18:49:31 238952 ---ha-w- c:\windows\system32\FsUsbExService.Exe
    2012-01-27 18:49:31 110592 ---ha-w- c:\windows\system32\FsUsbExDevice.Dll
    2012-01-27 18:48:31 -------- d--h--w- c:\users\home\appdata\roaming\Samsung
    2012-01-27 18:47:51 -------- d--h--w- c:\program files\MarkAny
    2012-01-27 18:46:53 -------- d--h--w- c:\program files\Samsung
    2012-01-27 18:44:41 -------- d--h--w- c:\programdata\Samsung
    2012-01-27 05:00:15 111616 ---ha-w- c:\programdata\CgL22CaH.exe
    2012-01-26 02:00:44 -------- d--h--w- c:\programdata\RegCure
    2012-01-17 22:17:26 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-17 22:17:26 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-01-17 22:17:25 9728 ----a-w- c:\windows\system32\lsass.exe
    2012-01-17 22:17:25 72704 ----a-w- c:\windows\system32\secur32.dll
    2012-01-17 22:17:25 377344 ----a-w- c:\windows\system32\winhttp.dll
    2012-01-17 22:17:25 1259008 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-15 16:46:37 83249512 ---ha-w- c:\program files\common files\windows live\.cache\wlcBE42.tmp
    2012-01-15 16:37:54 -------- d--h--w- c:\users\home\Tracing
    2012-01-12 04:35:24 -------- d--h--w- c:\windows\system32\Adobe
    2012-01-11 08:21:59 23552 ----a-w- c:\windows\system32\mciseq.dll
    2012-01-11 08:21:59 189952 ----a-w- c:\windows\system32\winmm.dll
    2012-01-11 08:21:51 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-11 08:21:43 66560 ----a-w- c:\windows\system32\packager.dll
    2012-01-11 08:21:39 376320 ----a-w- c:\windows\system32\winsrv.dll
    2012-01-11 08:21:26 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2012-01-11 08:20:19 497152 ----a-w- c:\windows\system32\qdvd.dll
    2012-01-11 08:20:19 1314816 ----a-w- c:\windows\system32\quartz.dll
    2012-01-10 13:39:34 6823496 ---ha-w- c:\programdata\microsoft\windows defender\definition updates\{857b324c-96be-4fd4-a7e6-5628aca654b5}\mpengine.dll
    ==================== Find3M ====================
    2012-01-25 01:53:42 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-04 14:54:57 1383424 ----a-w- c:\windows\system32\mshtml.tlb
    ============= FINISH: 22:33:14.79 ===============
  4. BlackMita

    BlackMita TS Rookie Topic Starter



    DDS (Ver_2011-08-26.01)
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 10/17/2008 5:00:13 AM
    System Uptime: 1/30/2012 10:05:25 PM (0 hours ago)
    Motherboard: TOSHIBA | | ISKAA
    Processor: Intel(R) Core(TM)2 Duo CPU T5450 @ 1.66GHz | U2E1

    | 1667/mhz
    ==== Disk Partitions =========================
    C: is FIXED (NTFS) - 180 GiB total, 11.575 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    ==== Disabled Device Manager Items =============
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0005
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter #4
    PNP Device ID: ROOT\*6TO4MP\0005
    Service: tunnel
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0008
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter #6
    PNP Device ID: ROOT\*6TO4MP\0008
    Service: tunnel
    Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}
    Description: Total Recorder WDM audio driver
    Device ID: ROOT\*TOTREC7\0000
    Manufacturer: High Criteria
    Name: Total Recorder WDM audio driver
    PNP Device ID: ROOT\*TOTREC7\0000
    Service: TotRec7
    ==== System Restore Points ===================
    ==== Installed Programs ======================
    AAC Decoder
    AC3Filter 1.63b
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe AIR
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Linguistics CS3
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Reader 9
    Adobe Setup
    Adobe Shockwave Player 11.6
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    ALPS Touch Pad Driver
    Any to Icon
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft PhotoStudio 5.5
    ATI Catalyst Install Manager
    avast! Free Antivirus
    BitComet 1.05
    Camera Assistant Software for Toshiba
    CamStudio Lossless Codec
    Canon DIGITAL CAMERA Solution Disk Software Guide
    Canon MovieEdit Task for ZoomBrowser EX
    Canon MP Navigator EX 1.0
    Canon PowerShot A800 Camera User Guide
    Canon Utilities CameraWindow DC 8
    Canon Utilities CameraWindow Launcher
    Canon Utilities Movie Uploader for YouTube
    Canon Utilities MyCamera
    Canon Utilities PhotoStitch
    Canon Utilities Solution Menu
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    CanoScan LiDE 90
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Czech
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Greek
    Catalyst Control Center Localization Hungarian
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Polish
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    Catalyst Control Center Localization Thai
    Catalyst Control Center Localization Turkish
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CD/DVD Drive Acoustic Silencer
    CDisplay 1.8
    Command & Conquer Red Alert 2
    Command && Conquer Red Alert 2 - Yuri's Revenge
    Counter-Strike: Source
    Counter-Strike: Source Beta
    DAEMON Tools Toolbar
    Debut Video Capture Software
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    Driver Detective
    DVD MovieFactory for TOSHIBA
    FinalAlert 2 Yuri's Revenge
    FL Studio 9
    Freecorder 5
    FTP Explorer
    FullRA Plus V3.03
    Game Maker 7.0
    Game Maker 8.0
    GameMaker 8.1
    Garry's Mod
    GCFScape 1.8.1
    GraphicsGale FreeEdition version 1.93.12
    H.264 Decoder
    Half-Life 2
    Half-Life 2: Episode One
    Half-Life 2: Episode Two
    Half-Life 2: Lost Coast
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Officejet 6500 E710a-f Basic Device Software
    HP Officejet 6500 E710a-f Help
    HP Officejet 6500 E710a-f Product Improvement Study
    HP Update
    HyperCam 2
    I.R.I.S. OCR
    IL Download Manager
    Instant Eyedropper 1.75
    Intel Matrix Storage Manager
    Intel(R) PROSet/Wireless Software
    Java(TM) 6 Update 22
    Java(TM) 6 Update 26
    Java(TM) SE Runtime Environment 6
    Kali II
    KeyText v3
    LAME v3.98.2 for Audacity
    LiveUpdate (Symantec Corporation)
    Logitech Gaming Software 5.10
    Macromedia Extension Manager
    Macromedia Flash 8
    Macromedia Flash 8 Video Encoder
    Male Voice Pack
    Malwarebytes Anti-Malware version
    ManyCam 2.5.74 (remove only)
    Marketsplash Shortcuts
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Games for Windows Marketplace
    Microsoft GIF Animator
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft XML Parser
    Minecraft 1.2.0_02
    MKV Splitter
    Mozilla Firefox (3.6.3)
    MSVCRT Redists
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Norton 360
    Norton 360 (Symantec Corporation)
    Norton 360 HTMLHelp
    Norton Confidential Core
    NVIDIA Photoshop Plug-ins
    OnlinePlay 1.0 3.3
    PDF Settings
    Plants vs. Zombies
    Pokemon Online 1.0.23
    Presto! PageManager 7.15.16
    Prism Video File Converter
    Project64 1.6
    Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver

    for Windows Vista
    Realtek High Definition Audio Driver
    RehanFX Shader Transitions and Effects (ShaderTFX)
    Samsung New PC Studio
    SAMSUNG USB Driver for Mobile Phones
    ScanSoft OmniPage SE 4
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile

    Security Update for Microsoft .NET Framework 4 Client Profile

    Security Update for Microsoft .NET Framework 4 Client Profile

    Security Update for Microsoft .NET Framework 4 Client Profile

    Security Update for Microsoft .NET Framework 4 Client Profile

    Security Update for Windows Media Encoder (KB2447961)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Encoder (KB979332)
    Silent Hill
    Source SDK
    Source SDK Base 2007
    SPBBC 32bit
    Spybot - Search & Destroy
    SRWare Iron 15.0.900.0
    Symantec Real Time Storage Protection Component
    Symantec Technical Support Controls
    Synaptics Pointing Device Driver
    System Requirements Lab
    Team Fortress 2
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Disc Creator
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Flash Cards Support Utility
    TOSHIBA Hardware Setup
    TOSHIBA Recovery Disc Creator
    Toshiba Registration
    TOSHIBA SD Memory Utilities
    TOSHIBA Software Modem
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    Toxic Biohazard
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Utility Common Driver
    VC80CRTRedist - 8.0.50727.762
    Vegas Pro 10.0
    VLC media player 1.0.5
    VTFEdit 1.2.5
    Westwood Shared Internet Components
    Winamp Detector Plug-in
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Messenger
    Windows Live OneCare safety scanner
    Windows Live Upload Tool
    Windows Media Encoder 9 Series
    WinPcap 4.1.2
    WinRAR archiver
    WorldsPlayer by
    ==== End Of File ===========================
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Welcome to TechSpot! I'll help with the malware. But we need to do some housekeeping first:

    Run the following to help restore the missing icons, programs, etc. We will handle the other cosmetic problems later:

    Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    Note1 This does not remove the malware- only the attribute hiding these features, so it's important to continue.
    Note 2: If you are infected with System Check it is important that you do not delete any files from your Temp folder or use any temp file cleaners
    Reset your browser proxies
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click Ok to close the Local Area Network (LAN) Settings window.
      o Click Ok to close the Internet Options window.
    1. You are running 2 antivirus programs. You had Norton 360 and then you installed Avast on 1/30. Please remove one of them. Reboot the computer when through.

    2. Please uninstall Bit Comet/Bit Comet Helper while I am helping you- otherwise it's a matter of removing malware out the front door, but it comes right back in through the back door.

    3. Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download.

    Also, open Firefox> Tools> Extensions> remove all outdated versions of Java. You will have malware in the Java cache which I will remove later.
    Please remove whatever programs you used previously and use the links I give you:

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    After I review the Combofix log, I will continue with the appropriate programs for you to run.
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.

    If I haven't replied back to you within 48 hours, you can send a PMwith your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
    Threads are closed after 5 days if there is no reply.
    Please leave the Combofix log in your next reply.
  6. BlackMita

    BlackMita TS Rookie Topic Starter

    OK things started great initially, but then went completely downhill due to one specific choice I shouldn't have made, even though it was still following your instructions.

    I installed Unhide.exe and it worked perfectly. I also reset Firefox browser proxies ("No proxy" was already the default). The part where I had to remove one of my anti-virus programs is where I should have stopped:

    I don't actually have Norton working. It's been sitting on my PC for almost 3 years doing nothing. The subscription ran out, but I've never even been able to un-install it! But I tried to again anyway, because I didn't want to have to remove Avast, which was actually doing it's job and running.

    Trying to un-install Norton from the installed programs list just yields a pop up saying Norton LiveUpdate (or something) is in use and that I have to close that first to do the un-install... which is impossible because you can't do ANYTHING with a dead Norton but pay to reactivate it. Worth mentioning that Norton LiveUpdate isn't on the un-install list.

    So I made the choice to un-install Avast (basically my only virus protection) which prompted me to reboot.

    I then un-installed BitComet and anything Java from the list, then re-installed the latest Java successfully (mind you this is all happening without virus protection now). When I went to remove Java related Firefox extensions, all the uninstall buttons were grayed out, but the disable buttons were not, so I just disabled them all.

    Finally I downloaded ComboFix; ran it, and hit agree to the first prompt. The window then closed, nothing happened for about 3 minutes, then the blue screen finally appeared and closed my browser about a minute later... and then basically did nothing for 3 hours (meanwhile it says it'll only take 10-20 minutes). Really??

    Sometime during the last hour of just not wanting to touch ComboFix as it took its sweet time, I noticed some of my desktop icons had dissappeared again, and a "System Check" icon had appeared.

    I had to close ComboFix at this point, because I wanted to post this... but couldn't. Everytime I tried to open firefox, it said "it was already running and needed to be closed". So I rebooted, but it still said this. So I tried Internet Explorer, which simply wouldn't load at all.

    I'm now posting this from Safe mode with network in Firefox (finally working). I'm willing to do everything over (the 5 preliminary steps and a new thread) so long as I don't have to get rid of Avast during the clean up (it seems to have been the only thing actually suppressing all the problems!)

    The problem now is this would mean contradicting your instructions further: re-installing Avast. Should I get Avast again, and re-install it right now? (through Safe mode with networking; which is the only way I can even browse the internet now)
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    A lot of words there! I'll cut to the chase:

    Get an antivirus on the system now! Go ahead and put Avast back on> now.

    For Norton: Try booting into Safe Mode with Networking- the security program won't be running. The use the Norton Uninstaller:
    Norton Removal Tool
    I can remove left over processes with script in Combofix if needed. I haven't done that yet, because it could 'break' the uninstaller, so it's best to remove it all at once.

    IF the remover won't work, you can try removing it using the following- again, you may need to be in Safe Mode with Networking:

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
    5. Click on Next after choice has been made
    6. Check the Norton program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    You will need to reboot to complete the uninstall.

    Let me know.

    Many users think if they don't renew a subscription and ignore a program, it will just go away! But not so> processes are still loading for it. The update won't be current but the processes will run anyway
    "Java related Firefox extensions, all the uninstall buttons were grayed out">> this can happen if you're not signed on to the Administrative Account. Disabled is okay for now.
    If would be best if you can get Combofix to run as it will remove some of the System Check processes:
    NOTE: If, for some reason, Combofix refuses to run, try one of the following:
    First> Try to run Combofix from Safe Mode. If it doesn't scan, go to next step.

    Second: Delete Combofix file, download fresh one, but rename combofix.exe to
    friday.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Third: Please download and run the below tool named Rkill (courtesy of which may help allow other programs to run.
    There are 3 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Rkill instructions
    Once you've gotten one of them to run
    • immediately double click on friday.exe to run Combofix
      If Combofix still won't run, add the following:

      Please download exeHelper by Raktor and save it to your desktop.
      • Double-click on or exeHelper.scr to run the fix tool.
      • A black window should pop up, press any key to close once the fix is completed.
      • A log file called exehelperlog.txt will be created and should open at the end of the scan)
      • A copy of that log will also be saved in the directory where you ran
      • Copy and paste the contents of exehelperlog.txt in your next reply.

      Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
    • If normal mode still doesn't work, run BOTH tools from safe mode.

    Summary: Try Combofix scan in Safe Mode first.
    If it won't scan, delete then reinstall Combofix renaming before download.
    Run RKill then try Combofix
    Add exehelper if needed

    If needed, run all 3 programs in Safe Mode.
  8. BlackMita

    BlackMita TS Rookie Topic Starter

    Avast is back on.

    Tried running ComboFix in normal mode, but it never got to blue screen. So I deleted ComboFix, and re-downloaded it to desktop as Friday.exe then downloaded rkill and ran that (it seemed to work) then quickly ran Friday. Avast kept interrupting rkill, and I had to tell Avast to ignore over and over. Decided to try this again in safe mode (running rkill then Friday w/out having to disable Avast) and it got to blue screen this time.

    I then got a window saying "pev.3XE has stopped working and needs to be closed" which when pressed, makes a ComboFix window appear saying "disk root activity detected; must now reboot" where hitting OK reboots it (and to normal mode without asking...)

    Back in normal mode, ComboFix still does nothing, so I downloaded exehelper and ran all 3 (exehelper --> rkill --> Friday) but Avast interrupts again, so I reboot to safe mode and ran all 3 (exehelper --> rkill --> Friday) getting to ComboFix blue screen without interruption.



    exeHelper by Raktor
    Build 20100414
    Run at 08:34:36 on 02/01/12
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...

    exeHelper by Raktor
    Build 20100414
    Run at 08:39:22 on 02/01/12
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...

    exeHelper by Raktor
    Build 20100414
    Run at 08:50:01 on 02/01/12
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...


    During ComboFix scan, I get this message, about 40 seconds into blue screen:

    This message only had an OK button, which I clicked. From there ComboFix just stays at blue screen. pev.3XE prompt appeared again, but I didn't touch it, to give Combo more time... but ended up closing about 90 mins later to reply here.

    ComboFix has yet to produce any logs (or complete a scan I guess).

    P.S: I managed to remove Norton (without using AppRemover) by un-installing in safe mode, well before I first ran Friday.

    I really appreciate your help. My PC seems at least usable again, for the moment, so I won't run/do anything that isn't your instructions.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Think about the above for minute> if Avast is going to 'suppress' all the malware entries, how are we going to find them to remove? Or how will a scan remove them. The reason you run RKill is to stop those entries from running long enough to find and remove them. That's why you don't reboot after running it>> because the malware would start again.
    We're going to do some housekeeping:

    DeFogger CD Emulation: I see Damon Lite. IF you have any others of this type, please include them. You can reverse the process when we're finished.

    To disable CD Emulation programs using DeFogger please perform these steps:
    1. . Please download DeFogger to your desktop.
    2. . Double-click on the DeFogger icon to start the tool.
    3. . The application window will> appear> click on the Disable button to disable your CD Emulation drivers
    4. . At prompt to continue> click on the Yes button to continue
    5. . When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
    DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
    The following can be done when we're finished:
    Disable Tea Timer:
    • Right click the TeaTimer icon in the system Tray [​IMG]
    • Then click Exit Spybot-S&D Resident
    • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe
    Please disable or uninstall the following:
    "c:\program files\instanteyedropper\InstantEyedropper.exe"
    There have been some issues while interacting with the application. The system tray icon did not respond the same way overtime when clicked. At times, the icon had to be depressed continually to enable the pixel magnifier.
    Please disable or uninstall the following:
    C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
    Description: Toshiba utility that allows you to change various hardware settings on your computer.
    Please remove this from the Startup menu:
    [MSConfig] "c:\windows\system32\msconfig.exe" /auto>> It means you are booting up using msconfig to control some aspect of what is being loaded at startup.
    Please disable from Startup:
    [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
    We need this to be a stable system, where you can run scans and produce logs that won't change every time you reboot. You have so many of these programs running it won't be possible to get a reliable scan.
    When all of the above has been handled, please run the following:
    • Download OTL from one of the links below and save it to your desktop.
      You just need one. Sometimes the file extension gets blocked.

      Note: When using these links, use Internet Explorer to download. If using Firefox, you should right-click and use "Save link As". Otherwise, on some systems, FF attempts to open the file as a script and just a bunch of gibberish is displayed.
    • Double click the OTL icon to run it.[​IMG]
    • The opened console will resemble this: [​IMG]
    • Set Output at the top to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Copy the entries in the Codebox below> Paste in the Custom Scan box.
      %systemroot%\*. /mp /s
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      Make sure all other windows are closed and to let it run uninterrupted.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
    Please post the 2 logs from OTL in your next reply.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...