1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

AntiSpyware Soft

Discussion in 'Virus & Other Malware Removal' started by TheScientist, May 10, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. TheScientist

    TheScientist Thread Starter

    Joined:
    Nov 8, 2009
    Messages:
    30
    So a few days ago, I discovered AntiSpyware Soft had embedded itself in my computer, resulting in warnings by a fake anti-virus program and my computer running very very slowly. After using StopZilla, as recommended by several sources online, the trojan seemed to be removed and was not detected by StopZilla or SpyWare Doctor, a scanner that was also recommended. Alas, tonight the fake anti-virus popped up again and my computer is back to running at a snail's pace.

    Any help would be truly appreciated. Thank you so much.

    HijackThis log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:30:24 AM, on 11/20/2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18319)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    C:\Program Files\Toshiba\SmoothView\SmoothView.exe
    C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
    C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    C:\Windows\ehome\ehtray.exe
    C:\Users\Leland\AppData\Local\Google\Update\1.2.183.13\GoogleCrashHandler.exe
    C:\Program Files\AIM\aim.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
    C:\Windows\system32\taskmgr.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    c:\PROGRA~1\mcafee\msc\mcuimgr.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\System32\notepad.exe
    C:\Windows\explorer.exe
    C:\Windows\system32\DllHost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
    O1 - Hosts: ::1 localhost
    O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
    O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
    O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\Windows\is-PG4QF.exe" /REG
    O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [{F272FED5-AE54-6F82-BB97-C42F67785C65}] \wtfdll.exe
    O4 - HKCU\..\Run: [omgwtf1] \wtfdll.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Leland\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
    O4 - HKCU\..\Run: [Zomglawlz] C:\Users\Leland\AppData\Roaming:Zomg.exe
    O4 - HKCU\..\Run: [systemlibrary] C:\Users\Leland\AppData\Roaming\systemlibrary.exe
    O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
    O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 13419 bytes
     
  2. TheScientist

    TheScientist Thread Starter

    Joined:
    Nov 8, 2009
    Messages:
    30
    Bump/update: I may have successfully removed AntiSpyware Soft manually, but my computer is still running very slowly and sometimes AVG warns me I have a trojan.
     
  3. jmw3

    jmw3 Malware Specialist

    Joined:
    Jul 23, 2007
    Messages:
    1,460
    Hello & Welcome to TechSupportGuy

    Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

    In the meantime please note the following:
    • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
    • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
      1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
      2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
    • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
    • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
    Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
    If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

    Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

    Because of this, I advise you to backup any personal files and folders before you start.

    Thanks

    DeFogger
    Download DeFogger by jpshortstuff from here & save it to your desktop.
    • Right click DeFogger then choose Run as Administrator to run the tool
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A Finished! message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
    Do not re-enable these drivers until otherwise instructed.

    DDS
    Download DDS.scr by sUBs from one of the following links & save it to your desktop.
    Link 1
    Link 2
    • Double-Click on dds.scr and a command window will appear. This is normal
    • Shortly after two logs will appear, DDS.txt & Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply
    Gmer
    Download GMER Rootkit Scanner from here & save it to your desktop.
    • Right click the .exe file then choose Run as Administrator to run the program. If asked to allow gmer.sys driver to load, please consent
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

      [​IMG]
      Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
    • Save it where you can easily find it, such as your desktop, and post it in reply
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Do not run any programs while Gmer is running.

    NOTE: If you cannot run GMER as indicated above, save a scan from the initial startup scan.
    • Before scanning, make sure all other running programs are closed & no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan
    • Double click the gmer.exe file
    • The program will begin to run & perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No
    • After the "initial scan" is complete, click on the Save button, save the log file to your desktop & post it in your reply


    To post in next reply:
    Contents of DDS log
    Contents of Attach.txt
    Contents of Gmer log
     
  4. TheScientist

    TheScientist Thread Starter

    Joined:
    Nov 8, 2009
    Messages:
    30
    Hi jmw93. Thank you so much for your attention and help.

    The first two steps of your post, Defogger and DDS, worked fine and I will post the DDS results at the end of my post.

    However, I have been having problems running Gmer on six different occassions and I wasn't even able to save a scan from the initial start-up scan:

    1. The scan seemed to be successful, but when I pressed "Save..." my computer froze.
    2. In the middle of the scan, I got the blue screen of death.
    3. I left the program running while I went to sleep. I woke up two hours later and my screen was black and the computer was unresponsive.
    4. I deleted and re-downloaded the program. After two minutes of scanning, my screen went black and unresponsive.
    5. I turned off my screen saver, as I didn't know if that was considered a program running. I got the blue screen of death after 15 minutes.
    6. Once again, I re-downloaded the program. My computer froze after three minutes of scanning and was stuck that way for about 20 minutes.
    Should I keep trying Gmer or do you have another suggestion?

    DDS.txt:

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Leland at 0:58:33.75 on Wed 05/12/2010
    Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_18
    Microsoft® Windows Vista&#8482; Home Premium 6.0.6001.1.1252.1.1033.18.1917.845 [GMT -7:00]

    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Windows\system32\lsm.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Users\Leland\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Toshiba\IVP\ISM\pinger.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    c:\Toshiba\IVP\swupdate\swupdtmr.exe
    C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\STOPzilla!\STOPzilla.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\taskmgr.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Leland\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.toshibadirect.com/dpdstart
    uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
    BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
    TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [Google Update] "c:\users\leland\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [AdobeBridge]
    uRun: [googletalk] c:\users\leland\appdata\roaming\google\google talk\googletalk.exe /autostart
    uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US /HIDEBL
    mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
    mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
    mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    Trusted Zone: aol.com\free
    Trusted Zone: intuit.com\ttlc
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GoogleDesktopNetwork3.dll,avgrsstx.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\leland\appdata\roaming\mozilla\firefox\profiles\zutbbn9b.leland\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - www.google.com/ig
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\program files\cambridgesoft\chemoffice2006\chem3d\npChem3DPlugin.dll
    FF - plugin: c:\program files\cambridgesoft\chemoffice2006\chemdraw\NPCDP32.DLL
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - plugin: c:\users\leland\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\users\leland\appdata\roaming\mozilla\plugins\npgoogletalk.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
    R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-2-24 173328]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-28 216200]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-28 29512]
    R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-28 242896]
    R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
    R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
    R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 52\starwind\StarWindServiceAE.exe [2007-5-28 275968]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-25 24652]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-8-22 7168]
    S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
    S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-11-2 18176]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-1-23 7680]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-10-10 42112]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-20 23680]
    S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-28 43008]

    =============== Created Last 30 ================

    2010-05-12 07:35:26 0 ----a-w- c:\users\leland\defogger_reenable
    2010-05-12 03:27:11 249603907 ----a-w- c:\windows\MEMORY.DMP
    2010-05-11 05:13:12 0 d-----w- c:\programdata\DivX
    2010-05-06 05:18:06 3919872 ---ha-w- C:\SZKGFS.dat
    2010-05-05 22:18:06 0 d-----w- c:\programdata\SITEguard
    2010-05-05 22:14:43 0 d-----w- c:\program files\STOPzilla!
    2010-05-05 22:14:42 0 d-----w- c:\programdata\STOPzilla!
    2010-05-05 22:14:42 0 d-----w- c:\program files\common files\iS3
    2010-05-05 18:35:24 0 d---a-w- c:\programdata\TEMP
    2010-05-01 16:47:35 0 d-----w- c:\windows\system32\EventProviders
    2010-04-14 23:54:24 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2010-04-14 23:54:23 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-04-14 23:54:23 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-04-14 23:54:20 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-04-14 23:54:16 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-04-14 23:54:15 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-04-14 23:54:12 62464 ----a-w- c:\windows\system32\l3codeca.acm
    2010-04-14 23:54:07 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-04-14 23:54:07 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-04-14 23:54:06 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-04-14 18:04:10 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
    2010-04-13 17:08:08 171520 ----a-w- c:\windows\system32\wintrust.dll
    2010-04-13 17:08:05 98304 ----a-w- c:\windows\system32\cabview.dll

    ==================== Find3M ====================

    2010-04-20 15:21:18 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-03-29 18:56:46 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-03-29 18:56:45 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-03-29 18:56:45 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-03-15 15:35:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-03-15 15:34:19 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-03-09 16:28:40 833024 ----a-w- c:\windows\system32\wininet.dll
    2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-09 14:01:47 26624 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-03-06 01:16:42 17408 ----a-r- c:\windows\system32\SZIO5.dll
    2010-03-06 01:14:16 442368 ----a-r- c:\windows\system32\SZBase5.dll
    2010-03-06 01:13:44 540672 ----a-r- c:\windows\system32\SZComp5.dll
    2010-02-20 23:39:35 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-02-20 23:37:20 31232 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-05 00:08:59 174 --sha-w- c:\program files\desktop.ini
    2009-10-04 23:40:30 665600 ----a-w- c:\windows\inf\drvindex.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

    ============= FINISH: 1:01:42.82 ===============

    Attach.txt:

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft® Windows Vista&#8482; Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 11/28/2007 6:50:27 AM
    System Uptime: 5/12/2010 12:44:55 AM (1 hours ago)

    Motherboard: ATI | | SB600
    Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-60 | Socket M2/S1G1 | 2000/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 231 GiB total, 87.535 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0001
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0001
    Service: tunmp

    ==== System Restore Points ===================


    ==== Installed Programs ======================


    µTorrent
    AAC Decoder
    AC3Filter (remove only)
    Acrobat.com
    Activation Assistant for the 2007 Microsoft Office suites
    Ad-Aware
    Adobe Acrobat 9 Pro - English, Français, Deutsch
    Adobe Acrobat 9.3.2 - CPSID_53951
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe After Effects CS4
    Adobe After Effects CS4 Presets
    Adobe After Effects CS4 Third Party Content
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Asset Services CS4
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color - Photoshop Specific CS4
    Adobe Color EU Recommended Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Extra Settings CS4
    Adobe Color Video Profiles AE CS4
    Adobe Color Video Profiles CS CS4
    Adobe Contribute CS4
    Adobe Creative Suite 4 Master Collection
    Adobe CS4 American English Speech Analysis Models
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Dreamweaver CS4
    Adobe Drive CS4
    Adobe Dynamiclink Support
    Adobe Encore CS4
    Adobe Encore CS4 Codecs
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Fireworks CS4
    Adobe Flash CS4
    Adobe Flash CS4 Extension - Flash Lite STI en
    Adobe Flash CS4 STI-en
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Illustrator CS4
    Adobe InDesign CS4
    Adobe InDesign CS4 Application Feature Set Files (Roman)
    Adobe InDesign CS4 Common Base Files
    Adobe InDesign CS4 Icon Handler
    Adobe Linguistics CS4
    Adobe Media Encoder CS4
    Adobe Media Encoder CS4 Additional Exporter
    Adobe Media Encoder CS4 Dolby
    Adobe Media Encoder CS4 Exporter
    Adobe Media Encoder CS4 Importer
    Adobe Media Player
    Adobe MotionPicture Color Files CS4
    Adobe OnLocation CS4
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS4
    Adobe Photoshop CS4 Support
    Adobe Premiere Pro CS4
    Adobe Premiere Pro CS4 Functional Content
    Adobe Premiere Pro CS4 Third Party Content
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe SGM CS4
    Adobe Shockwave Player 11
    Adobe SING CS4
    Adobe Soundbooth CS4
    Adobe Soundbooth CS4 Codecs
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe Version Cue CS4 Server
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    AIM 7
    AIM Toolbar
    Amazon MP3 Downloader 1.0.3
    Apple Software Update
    Atheros Driver Installation Program
    ATI Catalyst Install Manager
    Audacity 1.3.11 (Unicode)
    AutoUpdate
    AVG Free 9.0
    AVIcodec (remove only)
    Bluetooth Stack for Windows by Toshiba
    CambridgeSoft ChemOffice Ultra 2006
    Camera Assistant Software for Toshiba
    Canon Inkjet Printer Driver Add-On Module
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Czech
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Greek
    Catalyst Control Center Localization Hungarian
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Polish
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    Catalyst Control Center Localization Thai
    Catalyst Control Center Localization Turkish
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CD/DVD Drive Acoustic Silencer
    Compatibility Pack for the 2007 Office system
    Connect
    Creative Jukebox Driver
    Creative Removable Disk Manager
    Creative System Information
    Creative Zen Micro
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    Download Updater (AOL LLC)
    DVD MovieFactory for TOSHIBA
    Easy Video Joiner 5.21
    Google Chrome
    Google Desktop
    Google Talk (remove only)
    Google Talk Plugin
    Google Toolbar for Internet Explorer
    H.264 Decoder
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    ImageJ 1.40g
    iSEEK AnswerWorks English Runtime
    Java Auto Updater
    Java(TM) 6 Update 18
    kuler
    Machinarium
    Malwarebytes' Anti-Malware
    Media Player Classic - Home Cinema v. 1.3.1249.0
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft XML Parser
    MKV Splitter
    Motorola Driver Installation
    Motorola Software Update
    Mozilla Firefox (3.6.3)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Octoshape add-in for Adobe Flash Player
    OGA Notifier 2.0.0048.0
    Orbit Downloader
    PDF Settings CS4
    Photoshop Camera Raw
    Picasa 2
    Pixel Bender Toolkit
    QuickBooks Financial Center
    QuickTime
    RealPlayer
    Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
    Realtek High Definition Audio Driver
    RealWorld Icon Editor
    RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
    ScanAlyze
    Seagate Manager Installer
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Media Encoder (KB954156)
    Skins
    SnagIt 7
    SpeedFan (remove only)
    STOPzilla
    Suite Shared Configuration CS4
    Synaptics Pointing Device Driver
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Games
    TOSHIBA Hardware Setup
    Toshiba Registration
    TOSHIBA SD Memory Utilities
    TOSHIBA Software Modem
    TOSHIBA Software Upgrades
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    TurboTax 2009
    TurboTax 2009 wcaiper
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VC80CRTRedist - 8.0.50727.4053
    Viewpoint Media Player
    Winbond CIR Device Drivers
    Windows Media Encoder 9 Series
    Windows Media Player Firefox Plugin
    WinRAR archiver

    ==== End Of File ===========================
     
  5. jmw3

    jmw3 Malware Specialist

    Joined:
    Jul 23, 2007
    Messages:
    1,460
    Hi

    In Gmer uncheck everything except Sections & C:\ then try it. If you still have problems then boot to Safe Mode & run Gmer from there.
     
  6. TheScientist

    TheScientist Thread Starter

    Joined:
    Nov 8, 2009
    Messages:
    30
    Running Gmer on Safe Mode with only Sections and C checked worked.

    Gmer.txt:
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-05-12 19:35:52
    Windows 6.0.6001 Service Pack 1
    Running: fyfef3yb.exe; Driver: C:\Users\Leland\AppData\Local\Temp\pfloafod.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetTimerEx + 854 822C6F18 4 Bytes [10, 17, 76, 80] {ADC [EDI], DL; JBE 0xffffffffffffff84}
    .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x87B55000, 0x4036D, 0xE8000020]
    .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x87B9E000, 0x510, 0x40000040]

    ---- EOF - GMER 1.0.15 ----
     
  7. jmw3

    jmw3 Malware Specialist

    Joined:
    Jul 23, 2007
    Messages:
    1,460
    Hi

    Note about Stopzilla:
    Stopzilla is quite a resource hog & to be honest, I wouldn't really recommend having it on your computer. It has been pushed by malware - which means, malware causes popups where it asks to install Stopzilla. This makes Stopzilla a questionable application. Your choice but personally I wouldn't touch it.

    P2P Warning!
    IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    µTorrent

    Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur.
    P2P file sharing used to be fairly safe. That is no longer true. I'd like you to read the Perils of P2P File Sharing where we explain why it's not a good idea to have them.
    References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
    http://www.techweb.com/wire/160500554
    http://www.internetworldstats.com/articles/art053.htm
    See Clean/Infected P2P Programs here

    I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

    I see you have AVG9 installed, but it doesn't appear to be enabled. What's the status with it?

    ComboFix
    Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
    Link 1
    Link 2

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
      A guide to do this can be found here
    • Right-click on ComboFix.exe then choose Run as Administrator & follow the prompts
    • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
    A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    To post in next reply:
    ComboFix log
    Update on how the computer is running
    AVG9 status
     
  8. TheScientist

    TheScientist Thread Starter

    Joined:
    Nov 8, 2009
    Messages:
    30
    I only used StopZilla because of this incident and I only used it to scan for infections. Now that i have your help, I have uninstalled it.

    I know it's up to me so this is trivial, but for the record, I don't use uTorrent anymore; I foolishly keep the program just in case there's ever something I want down the road.

    I think AVG is enabled and if it's not, then I'm concerned. I attached a screenshot of the interface and it says everything is activated.

    Now I have a silly question....how do I disable AVG in order to run ComboFix?
     

    Attached Files:

    • AVG.jpg
      AVG.jpg
      File size:
      82 KB
      Views:
      4
  9. jmw3

    jmw3 Malware Specialist

    Joined:
    Jul 23, 2007
    Messages:
    1,460
    Hi
    OK... Good

    OK, no problem. It's just not registered with the WMI. That's not a big deal. Just wanted to make sure you had some sort of Anti-virus protection.

    See if this helps:
    http://free.avg.com/au-en/faq.num-1311#faq_1311
     
  10. TheScientist

    TheScientist Thread Starter

    Joined:
    Nov 8, 2009
    Messages:
    30
    My computer seems to be working at full speed.

    ComboFix.txt:
    ComboFix 10-05-13.01 - Leland 05/13/2010 10:30:25.3.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1917.1116 [GMT -7:00]
    Running from: c:\users\Leland\Desktop\ComboFix.exe
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Leland\AppData\Local\Temp\sfamcc00001.dll
    c:\users\Leland\AppData\Local\temp\sfareca00001.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
    .

    2010-05-13 17:40 . 2010-05-13 17:44 -------- d-----w- c:\users\Leland\AppData\Local\temp
    2010-05-13 17:40 . 2010-05-13 17:40 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-05-13 17:40 . 2010-05-13 17:40 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-05-13 17:40 . 2010-05-13 17:40 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2010-05-13 04:35 . 2010-05-13 16:40 -------- d-----w- c:\program files\Common Files\Steam
    2010-05-13 04:34 . 2010-05-13 16:40 -------- d-----w- c:\program files\Steam
    2010-05-12 11:36 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
    2010-05-11 05:13 . 2010-05-11 05:13 -------- d-----w- c:\programdata\DivX
    2010-05-10 05:19 . 2010-05-10 16:42 -------- d-----w- c:\users\Leland\AppData\Local\ygerqkujf
    2010-05-06 05:18 . 2010-05-06 05:18 3919872 ---ha-w- C:\SZKGFS.dat
    2010-05-05 22:18 . 2010-05-05 22:18 -------- d-----w- c:\programdata\SITEguard
    2010-05-05 22:14 . 2010-05-13 04:20 -------- d-----w- c:\programdata\STOPzilla!
    2010-05-05 22:14 . 2010-05-05 22:14 -------- d-----w- c:\program files\Common Files\iS3
    2010-05-01 16:47 . 2010-05-01 16:47 -------- d-----w- c:\windows\system32\EventProviders
    2010-04-15 17:06 . 2010-04-15 17:06 -------- d-----w- c:\users\Leland\AppData\Local\AIM Toolbar
    2010-04-14 23:54 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2010-04-14 23:54 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-04-14 23:54 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-04-14 23:54 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-04-14 23:54 . 2010-02-18 14:49 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-04-14 23:54 . 2010-02-18 14:49 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-04-14 23:54 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-04-14 23:54 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-04-14 23:54 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-04-14 18:04 . 2009-08-20 07:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-13 16:45 . 2008-06-26 18:06 0 ----a-w- c:\users\Leland\AppData\Local\prvlcl.dat
    2010-05-12 12:33 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-05-07 05:02 . 2008-05-03 22:01 -------- d-----w- c:\users\Leland\AppData\Roaming\uTorrent
    2010-05-05 18:17 . 2009-01-28 04:55 1356 ----a-w- c:\users\Leland\AppData\Local\d3d9caps.dat
    2010-04-20 15:21 . 2009-11-28 10:06 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-04-02 08:30 . 2010-03-30 20:41 -------- d-----w- c:\users\Leland\AppData\Roaming\Audacity
    2010-03-30 20:41 . 2010-03-30 20:41 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
    2010-03-29 18:55 . 2010-03-29 17:01 -------- d-----w- c:\program files\Creative
    2010-03-29 17:36 . 2007-08-22 19:39 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-29 15:07 . 2008-05-03 22:01 -------- d-----w- c:\program files\uTorrent
    2010-03-29 06:21 . 2009-08-31 05:48 -------- d-----w- c:\users\Leland\AppData\Roaming\Orbit
    2010-03-29 00:13 . 2010-03-29 00:13 -------- d-----w- c:\users\Administrator\AppData\Roaming\acccore
    2010-03-28 19:47 . 2010-03-28 19:47 -------- d-----w- c:\program files\AIM Toolbar
    2010-03-28 19:47 . 2010-03-28 19:47 -------- d-----w- c:\programdata\AIM Toolbar
    2010-03-28 19:47 . 2010-03-28 19:47 -------- d-----w- c:\program files\Common Files\Software Update Utility
    2010-03-28 19:46 . 2009-11-04 02:31 -------- d-----w- c:\program files\AIM
    2010-03-24 19:42 . 2008-03-26 01:13 124336 ----a-w- c:\users\Leland\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-03-23 16:19 . 2010-03-23 16:19 -------- d-----w- c:\program files\Common Files\SWF Studio
    2010-03-15 15:35 . 2010-03-15 15:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-03-15 15:35 . 2009-11-28 10:06 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-03-15 15:34 . 2009-11-28 09:58 -------- d-----w- c:\programdata\avg9
    2010-03-15 15:34 . 2009-11-28 10:06 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-03-09 16:28 . 2010-04-01 17:48 833024 ----a-w- c:\windows\system32\wininet.dll
    2010-03-09 16:25 . 2010-04-01 17:48 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-09 14:01 . 2010-04-01 17:48 26624 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-02-20 23:39 . 2010-03-09 23:50 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-02-20 23:37 . 2010-03-09 23:50 31232 ----a-w- c:\windows\system32\httpapi.dll
    2010-02-20 21:18 . 2010-03-09 23:50 411136 ----a-w- c:\windows\system32\drivers\http.sys
    2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\users\Leland\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-02-12 133104]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "googletalk"="c:\users\Leland\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "Aim"="c:\program files\AIM\aim.exe" [2010-03-08 3972440]
    "Steam"="c:\program files\Steam\Steam.exe" [2010-05-13 1238352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 413696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-04-04 38840]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-04-03 640440]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
    R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
    R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
    R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-24 7680]
    R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-11 42112]
    R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-20 23680]
    R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2007-03-28 43008]
    R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-09-11 721904]
    S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-15 216200]
    S1 AvgTdiX;AVG Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-20 242896]
    S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-15 308064]
    S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-26 189736]
    S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3222351459-3557411957-99243863-1000Core.job
    - c:\users\Leland\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-11 05:00]

    2010-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3222351459-3557411957-99243863-1000UA.job
    - c:\users\Leland\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-11 05:00]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.toshibadirect.com/dpdstart
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: aol.com\free
    Trusted Zone: intuit.com\ttlc
    FF - ProfilePath - c:\users\Leland\AppData\Roaming\Mozilla\Firefox\Profiles\zutbbn9b.Leland\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - www.google.com/ig
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - plugin: c:\program files\CambridgeSoft\ChemOffice2006\Chem3D\npChem3DPlugin.dll
    FF - plugin: c:\program files\CambridgeSoft\ChemOffice2006\ChemDraw\NPCDP32.DLL
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - plugin: c:\users\Leland\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\users\Leland\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
    HKCU-Run-AdobeBridge - (no file)



    **************************************************************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(3728)
    c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
    c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
    c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
    c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\toshiba\IVP\ISM\pinger.exe
    c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
    c:\toshiba\IVP\swupdate\swupdtmr.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\windows\ehome\ehmsas.exe
    c:\users\Leland\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Common Files\Steam\SteamService.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2010-05-13 10:55:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-05-13 17:55
    ComboFix2.txt 2009-11-25 21:28

    Pre-Run: 90,585,858,048 bytes free
    Post-Run: 94,203,105,280 bytes free

    - - End Of File - - A402259D8C32DB83AF85BAEF0209C23D
     
  11. jmw3

    jmw3 Malware Specialist

    Joined:
    Jul 23, 2007
    Messages:
    1,460
    Hi

    Good to hear your computer is running well. Just a little more to do.

    CFScript
    Close any open browsers.
    Open notepad and copy/paste the text in the code box below into it:

    Code:
    Folder::
    c:\users\Leland\AppData\Local\ygerqkujf
    c:\programdata\STOPzilla!
    c:\program files\Common Files\iS3
    File::
    C:\SZKGFS.dat
    DDS::
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    Trusted Zone: aol.com\free
    Trusted Zone: intuit.com\ttlc
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    Save this as CFScript.txt, in the same location as ComboFix.exe

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe
    If prompted by ComboFix to update, please do so
    When finished, it shall produce a log for you at "C:\ComboFix.txt"
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    Update Java Runtime
    You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 20.
    • Download the latest version of Java Runtime Environment (JRE) 6 Here
    • Scroll down to where it says "JDK 6 Update 20 (JDK or JRE)"
    • Click the orange Download JRE button to the right
    • Select the Windows platform from the dropdown menu
    • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
    • Click on the link to download Windows Offline Installation & save the file to your desktop
    • Close any programs you may have running - especially your web browser
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions
    • Reboot your computer once all Java components are removed
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version
    • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
      • On the General tab, under Temporary Internet Files, click the Settings button
      • Next, click on the Delete Files button
      • There are two options in the window to clear the cache - Leave BOTH Checked
        • Applications and Applets
          Trace and Log Files
      • Click OK on Delete Temporary Files Window
        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel
    Kaspersky Online Scan
    Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it
    Go to Kaspersky website and perform an online antivirus scan
    • Read through the requirements and privacy statement and click on Accept button
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
    • When the downloads have finished, click on Settings
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    • Click on My Computer under Scan
    • Once the scan is complete, it will display the results. Click on View Scan Report
    • You will see a list of infected items there. Click on Save Report As...
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply
    Pictured tutorial if required.
    This scan can take quite a while to update & scan, so please be patient with it.

    To post in next reply:
    ComboFix log
    Kaspersky Online Scan log
     
  12. TheScientist

    TheScientist Thread Starter

    Joined:
    Nov 8, 2009
    Messages:
    30
    ComboFix.txt:
    ComboFix 10-05-13.03 - Leland 05/13/2010 21:37:51.4.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1917.1105 [GMT -7:00]
    Running from: c:\users\Leland\Desktop\ComboFix.exe
    Command switches used :: c:\users\Leland\Desktop\CFScript.txt
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    FILE ::
    "C:\SZKGFS.dat"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Common Files\iS3
    c:\program files\Common Files\iS3\Anti-Spyware\sgdfull.rsf
    c:\programdata\STOPzilla!
    c:\programdata\STOPzilla!\modules_scanned.db
    c:\programdata\STOPzilla!\modules_scanned.db.bak
    c:\programdata\STOPzilla!\scanner.log
    c:\programdata\STOPzilla!\sgdefs.db
    c:\programdata\STOPzilla!\sgdwc.db
    c:\programdata\STOPzilla!\userdata.db
    c:\programdata\STOPzilla!\zilla5.log
    C:\SZKGFS.dat
    c:\users\Leland\AppData\Local\Temp\sfamcc00001.dll
    c:\users\Leland\AppData\Local\Temp\sfareca00001.dll
    c:\users\Leland\AppData\Local\ygerqkujf

    .
    ((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 )))))))))))))))))))))))))))))))
    .

    2010-05-14 04:47 . 2010-05-14 04:51 -------- d-----w- c:\users\Leland\AppData\Local\temp
    2010-05-14 04:47 . 2010-05-14 04:47 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-05-14 04:47 . 2010-05-14 04:47 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-05-14 04:47 . 2010-05-14 04:47 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2010-05-13 04:35 . 2010-05-13 16:40 -------- d-----w- c:\program files\Common Files\Steam
    2010-05-13 04:34 . 2010-05-13 17:58 -------- d-----w- c:\program files\Steam
    2010-05-12 11:36 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
    2010-05-11 05:13 . 2010-05-11 05:13 -------- d-----w- c:\programdata\DivX
    2010-05-05 22:18 . 2010-05-05 22:18 -------- d-----w- c:\programdata\SITEguard
    2010-05-01 16:47 . 2010-05-01 16:47 -------- d-----w- c:\windows\system32\EventProviders
    2010-04-15 17:06 . 2010-04-15 17:06 -------- d-----w- c:\users\Leland\AppData\Local\AIM Toolbar
    2010-04-14 23:54 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2010-04-14 23:54 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-04-14 23:54 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-04-14 23:54 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-04-14 23:54 . 2010-02-18 14:49 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-04-14 23:54 . 2010-02-18 14:49 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-04-14 23:54 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-04-14 23:54 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-04-14 23:54 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-04-14 18:04 . 2009-08-20 07:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-13 16:45 . 2008-06-26 18:06 0 ----a-w- c:\users\Leland\AppData\Local\prvlcl.dat
    2010-05-12 12:33 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-05-07 05:02 . 2008-05-03 22:01 -------- d-----w- c:\users\Leland\AppData\Roaming\uTorrent
    2010-05-05 18:17 . 2009-01-28 04:55 1356 ----a-w- c:\users\Leland\AppData\Local\d3d9caps.dat
    2010-04-20 15:21 . 2009-11-28 10:06 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-04-02 08:30 . 2010-03-30 20:41 -------- d-----w- c:\users\Leland\AppData\Roaming\Audacity
    2010-03-30 20:41 . 2010-03-30 20:41 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
    2010-03-29 18:55 . 2010-03-29 17:01 -------- d-----w- c:\program files\Creative
    2010-03-29 17:36 . 2007-08-22 19:39 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-29 15:07 . 2008-05-03 22:01 -------- d-----w- c:\program files\uTorrent
    2010-03-29 06:21 . 2009-08-31 05:48 -------- d-----w- c:\users\Leland\AppData\Roaming\Orbit
    2010-03-29 00:13 . 2010-03-29 00:13 -------- d-----w- c:\users\Administrator\AppData\Roaming\acccore
    2010-03-28 19:47 . 2010-03-28 19:47 -------- d-----w- c:\program files\AIM Toolbar
    2010-03-28 19:47 . 2010-03-28 19:47 -------- d-----w- c:\programdata\AIM Toolbar
    2010-03-28 19:47 . 2010-03-28 19:47 -------- d-----w- c:\program files\Common Files\Software Update Utility
    2010-03-28 19:46 . 2009-11-04 02:31 -------- d-----w- c:\program files\AIM
    2010-03-24 19:42 . 2008-03-26 01:13 124336 ----a-w- c:\users\Leland\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-03-23 16:19 . 2010-03-23 16:19 -------- d-----w- c:\program files\Common Files\SWF Studio
    2010-03-15 15:35 . 2010-03-15 15:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-03-15 15:35 . 2009-11-28 10:06 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-03-15 15:34 . 2009-11-28 09:58 -------- d-----w- c:\programdata\avg9
    2010-03-15 15:34 . 2009-11-28 10:06 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-03-09 16:28 . 2010-04-01 17:48 833024 ----a-w- c:\windows\system32\wininet.dll
    2010-03-09 16:25 . 2010-04-01 17:48 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-09 14:01 . 2010-04-01 17:48 26624 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-02-20 23:39 . 2010-03-09 23:50 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-02-20 23:37 . 2010-03-09 23:50 31232 ----a-w- c:\windows\system32\httpapi.dll
    2010-02-20 21:18 . 2010-03-09 23:50 411136 ----a-w- c:\windows\system32\drivers\http.sys
    2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\users\Leland\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-02-12 133104]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "googletalk"="c:\users\Leland\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "Aim"="c:\program files\AIM\aim.exe" [2010-03-08 3972440]
    "Steam"="c:\program files\Steam\Steam.exe" [2010-05-13 1238352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 413696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-04-04 38840]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-04-03 640440]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
    R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
    R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
    R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-24 7680]
    R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-11 42112]
    R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-20 23680]
    R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2007-03-28 43008]
    R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-09-11 721904]
    S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-15 216200]
    S1 AvgTdiX;AVG Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-20 242896]
    S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-15 308064]
    S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-26 189736]
    S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3222351459-3557411957-99243863-1000Core.job
    - c:\users\Leland\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-11 05:00]

    2010-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3222351459-3557411957-99243863-1000UA.job
    - c:\users\Leland\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-11 05:00]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.toshibadirect.com/dpdstart
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Leland\AppData\Roaming\Mozilla\Firefox\Profiles\zutbbn9b.Leland\
    FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
    FF - prefs.js: browser.startup.homepage - www.google.com/ig
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - plugin: c:\program files\CambridgeSoft\ChemOffice2006\Chem3D\npChem3DPlugin.dll
    FF - plugin: c:\program files\CambridgeSoft\ChemOffice2006\ChemDraw\NPCDP32.DLL
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - plugin: c:\users\Leland\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\users\Leland\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .

    **************************************************************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(4708)
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\toshiba\IVP\ISM\pinger.exe
    c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
    c:\toshiba\IVP\swupdate\swupdtmr.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    c:\windows\ehome\ehmsas.exe
    c:\program files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    c:\program files\Synaptics\SynTP\SynTPEnh.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    c:\users\Leland\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Synaptics\SynTP\SynToshiba.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2010-05-13 22:02:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-05-14 05:02
    ComboFix2.txt 2009-11-25 21:28

    Pre-Run: 93,434,179,584 bytes free
    Post-Run: 93,467,086,848 bytes free

    - - End Of File - - ACC1E31658CC8986FC85C4093E5F472E

    Kaspersky:
    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Friday, May 14, 2010
    Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Friday, May 14, 2010 04:34:06
    Records in database: 4111428
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\

    Scan statistics:
    Objects scanned: 244946
    Threats found: 1
    Infected objects found: 0
    Suspicious objects found: 4
    Scan duration: 03:28:03


    File name / Threat / Threats count
    C:\Users\Leland\AppData\Local\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 4

    Selected area has been scanned.
     
  13. jmw3

    jmw3 Malware Specialist

    Joined:
    Jul 23, 2007
    Messages:
    1,460
    Hi

    The Kaspersky scan has flagged some dodgy emails in Outlook by the look of it. Unfortunately it doesn't tell us which are emails are suspect. I would suggest cleaning out all folders in your Outlook, keeping only what is important. Other than that it looks pretty good.

    Clean Up
    Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
    Remove ComboFix
    The following will implement some cleanup procedures as well as reset System Restore points:
    Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
    ComboFix /Uninstall
    OTC
    Download OTC by Old Timer here & save it to your desktop.
    Double click on OTC.exe. Click on CleanUp!.
    You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
    It will restart your computer automatically. If it doesn't, please restart your computer manually.
    You can delete the following from your desktop:
    DDS.scr
    The Gmer.exe file (it will be randomly named .exe file)
    Any logs that may have been saved to your desktop

    You should also remove HijackThis. You can do this by going to C:\Program Files\Trend Micro\HijackThis
    • Double click HijackThis.exe
    • From the Main menu click Open the Misc Tools section
    • Using the scroll bar, scroll down to Uninstall HijackThis
    • Click Uninstall HijackThis & exit then click Yes at the prompt
    Let me now how you go with this before we wrap this up.
     
  14. TheScientist

    TheScientist Thread Starter

    Joined:
    Nov 8, 2009
    Messages:
    30
    Hi jmw3. I'll try to track down the problematic e-mail in Outlook. The clean-up went fine and everything has been removed.

    Thank you so much for your attention, help, and prompt responses.
     
  15. jmw3

    jmw3 Malware Specialist

    Joined:
    Jul 23, 2007
    Messages:
    1,460
    No problem at all.... Glad I could help.

    All Clean
    Now that your system is safe we would like you to keep it that way. Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

    Create a Clean System Restore Point
    Create a new, clean System Restore point which you can use in case of future system problems:
    Press Start->All Programs->Accessories->System Tools->System Restore
    Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
    Now remove old, infected System Restore points:
    Next click Start->Run and type cleanmgr in the box and click OK
    Ensure the boxes for Temporary Files & Temporary Internet Files are checked. You can choose to check other boxes if you wish but they are not required.
    Select the More Options tab, under System Restore click Clean up... and click Yes to the prompt
    Click OK and Yes to confirm.

    Microsoft Windows Update
    Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
    To update Windows
    Go to Start > All Programs > Windows Update
    To update Office
    Open up any Office program.
    Go to Help > Check for Updates

    Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
    You can find a tutorial here. Keep it updated & run it regularly.

    SpywareBlaster
    Download and install Javacools SpywareBlaster from here
    SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

    Download and Install a HOSTS File
    A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.
    Install MVPS Hosts File From Here
    The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    You can Find the Tutorial HERE

    Web of Trust
    WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and Internet Explorer.

    Install WinPatrol
    Download it here
    You can find information about how WinPatrol works here

    Read some information here on how to prevent Malware.

    Hopefully these steps will help keep your computer clean.

    Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

    Good Luck & Surf Safe
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/922153

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice