1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Random ads playing in speaker

Discussion in 'Virus & Other Malware Removal' started by slhtarheelfan02, Jun 20, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Looks like we really have some tricky ones here...

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      ClearJavaCache::
      
      Firefox::
      FF - ProfilePath - c:\users\slhbabydoll98\AppData\Roaming\Mozilla\Firefox\Profiles\9155nu8m.default\
      FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
      FF - prefs.js: browser.search.selectedEngine - Veoh Web Player Customized Web Search
      FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
      FF - prefs.js: keyword.URL - hxxp://blekko.com/ws/?source=6a1885c1&tbp=url&toolbarid=blekkotb_002&u=___userid___&q=
      FF - prefs.js: network.proxy.type - 0
      FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109454
      FF - user.js: extensions.BabylonToolbar_i.babExt - 
      FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
      FF - user.js: extensions.BabylonToolbar_i.id - 34033ba70000000000001c659dba94aa
      FF - user.js: extensions.BabylonToolbar_i.hardId - 34033ba70000000000001c659dba94aa
      FF - user.js: extensions.BabylonToolbar_i.instlDay - 15355
      FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
      FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
      FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1722:54
      FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
      FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
      FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
      FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
      FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
      FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------
     
  2. slhtarheelfan02

    slhtarheelfan02 Thread Starter

    Joined:
    Jun 20, 2012
    Messages:
    42
    ComboFix 12-06-28.01 - slhbabydoll98 07/01/2012 14:56:11.8.2 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3836.2719 [GMT -4:00]
    Running from: c:\users\slhbabydoll98\Desktop\ComboFix.exe
    Command switches used :: c:\users\slhbabydoll98\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-01 to 2012-07-01 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-01 19:04 . 2012-07-01 19:04 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-06-28 15:14 . 2012-06-28 15:14 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-06-25 16:35 . 2012-06-25 16:35 -------- d-s---w- c:\windows\SysWow64\Microsoft
    2012-06-23 04:17 . 2012-06-23 04:17 -------- d-----w- c:\windows\system32\SPReview
    2012-06-23 03:56 . 2010-11-20 09:01 2560 ----a-w- c:\windows\system32\drivers\en-US\rdpwd.sys.mui
    2012-06-23 03:56 . 2010-11-20 08:57 3072 ----a-w- c:\windows\system32\drivers\en-US\tsusbflt.sys.mui
    2012-06-23 03:54 . 2010-11-20 09:11 6144 ----a-w- c:\windows\system32\drivers\en-US\IPMIDrv.sys.mui
    2012-06-23 03:54 . 2010-11-20 09:10 4608 ----a-w- c:\windows\system32\drivers\en-US\kbdclass.sys.mui
    2012-06-23 03:29 . 2010-11-20 09:27 70656 ----a-w- c:\windows\system32\nlaapi.dll
    2012-06-23 03:28 . 2010-11-20 09:25 84992 ----a-w- c:\windows\system32\asycfilt.dll
    2012-06-23 03:27 . 2010-11-20 09:27 73728 ----a-w- c:\windows\system32\tlscsp.dll
    2012-06-23 03:26 . 2010-11-20 09:27 200192 ----a-w- c:\windows\system32\syncui.dll
    2012-06-23 03:25 . 2010-11-20 09:27 312832 ----a-w- c:\windows\system32\Wldap32.dll
    2012-06-21 23:06 . 2012-06-21 23:06 -------- d-----w- C:\Sun
    2012-06-20 15:35 . 2012-06-20 15:35 -------- d-----w- c:\users\slhbabydoll98\AppData\Local\Microsoft Corporation
    2012-06-20 06:27 . 2012-06-20 06:27 -------- d-----w- c:\program files (x86)\MSECache
    2012-06-20 06:26 . 2012-06-20 06:26 -------- d-----w- c:\program files (x86)\Microsoft Windows 7 Upgrade Advisor
    2012-06-20 05:56 . 2012-06-20 05:56 -------- d-----w- c:\programdata\CA
    2012-06-20 05:40 . 2012-06-20 05:40 65736 ----a-w- c:\windows\system32\drivers\pxrts.sys
    2012-06-20 05:40 . 2012-06-20 05:40 -------- d-----w- c:\program files\Prevx
    2012-06-20 05:39 . 2012-06-29 02:56 -------- d-----w- c:\programdata\PrevxCSI
    2012-06-19 23:54 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-19 23:51 . 2012-06-28 12:52 142128 ----a-w- c:\windows\system32\drivers\aswFW.sys
    2012-06-19 23:48 . 2012-06-28 12:52 266776 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
    2012-06-19 23:48 . 2012-06-28 12:52 19600 ----a-w- c:\windows\system32\drivers\aswKbd.sys
    2012-06-19 23:47 . 2012-03-06 22:44 12368 ----a-w- c:\windows\system32\drivers\aswNdis.sys
    2012-06-19 23:42 . 2012-06-19 23:42 -------- d-----w- c:\users\slhbabydoll98\AppData\Roaming\SUPERAntiSpyware.com
    2012-06-19 23:41 . 2012-06-21 01:25 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-06-19 23:41 . 2012-06-19 23:41 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-06-19 23:35 . 2012-06-28 12:52 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-06-19 23:34 . 2012-06-28 12:52 355856 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-06-19 23:34 . 2012-06-28 12:52 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-06-19 23:34 . 2012-06-28 12:52 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-06-19 23:34 . 2012-06-28 12:52 958912 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-06-19 23:34 . 2012-06-28 12:52 71064 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-06-19 23:34 . 2012-06-28 12:51 285328 ----a-w- c:\windows\system32\aswBoot.exe
    2012-06-19 23:32 . 2012-06-28 12:52 41224 ----a-w- c:\windows\avastSS.scr
    2012-06-19 23:32 . 2012-06-28 12:51 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-06-19 23:32 . 2012-06-19 23:32 -------- d-----w- c:\programdata\AVAST Software
    2012-06-19 23:32 . 2012-06-19 23:32 -------- d-----w- c:\program files\AVAST Software
    2012-06-19 16:47 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-19 16:47 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-19 16:47 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-19 16:47 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-19 16:47 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-19 16:47 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-19 16:47 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-19 16:46 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-19 16:46 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-18 18:11 . 2012-06-18 18:11 -------- d-----w- c:\users\slhbabydoll98\AppData\Roaming\Malwarebytes
    2012-06-18 18:11 . 2012-06-19 23:54 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-06-18 18:11 . 2012-06-18 18:11 -------- d-----w- c:\programdata\Malwarebytes
    2012-06-18 18:07 . 2012-06-18 21:52 -------- d-----w- c:\programdata\PC Optimizer Pro
    2012-06-18 18:03 . 2012-06-18 18:03 -------- d-----w- c:\users\slhbabydoll98\AppData\Local\visi_coupon
    2012-06-18 18:00 . 2012-06-18 22:01 -------- d-----w- C:\Remote Programs
    2012-06-18 17:59 . 2012-06-19 16:32 -------- d-----w- c:\program files (x86)\7-zip
    2012-06-18 02:15 . 2012-06-18 02:15 -------- d-----w- c:\windows\SysWow64\N360_BACKUP
    2012-06-17 07:03 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-06-17 07:03 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-06-17 07:03 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-06-15 03:37 . 2012-06-15 03:37 -------- d-----w- c:\programdata\PCSettings
    2012-06-14 07:00 . 2012-05-18 01:55 173056 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-06-14 03:58 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-06-14 03:58 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-06-14 03:58 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-06-14 03:58 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll
    2012-06-14 03:58 . 2010-11-20 13:27 33792 ----a-w- c:\windows\system32\profprov.dll
    2012-06-14 03:58 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-06-14 03:58 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys
    2012-06-14 03:58 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll
    2012-06-14 03:58 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll
    2012-06-14 03:57 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll
    2012-06-14 03:57 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
    2012-06-14 03:57 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-14 03:57 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
    2012-06-14 03:57 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
    2012-06-14 03:57 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
    2012-06-02 04:05 . 2012-06-02 04:05 -------- d-----w- c:\users\slhbabydoll98\AppData\Local\Wild Tangent
    2012-06-02 03:30 . 2012-06-12 23:18 -------- d-----w- c:\users\slhbabydoll98\AppData\Roaming\WildTangent
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-23 19:25 . 2012-03-31 23:24 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-23 19:25 . 2011-06-19 23:08 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-23 04:07 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
    2012-06-23 04:07 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-06-28_16.15.24 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2012-06-28 16:13 . 2012-06-28 16:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-07-01 19:05 . 2012-07-01 19:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-07-01 19:05 . 2012-07-01 19:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-06-28 16:13 . 2012-06-28 16:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-07-14 04:54 . 2012-06-28 16:14 507904 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-07-01 19:06 507904 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:46 . 2012-06-29 14:36 113088 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    - 2009-07-14 05:01 . 2012-06-28 16:13 236908 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2012-07-01 19:05 236908 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2012-06-20 02:57 . 2012-06-28 16:14 3522560 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2012-06-20 02:57 . 2012-07-01 19:06 3522560 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:45 . 2012-06-29 08:44 7663076 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    - 2009-07-14 04:54 . 2012-06-28 16:14 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-07-01 19:06 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-05-18 17:06 . 2012-07-01 19:05 40713086 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3603554640-817227373-1043472641-1000-8192.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-06-28 4273976]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    "ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-23 136176]
    R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [x]
    R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [x]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 250056]
    R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-23 136176]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-01-07 232992]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
    R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-02-11 54136]
    R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
    R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-06-24 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
    S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [2012-03-06 12368]
    S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
    S1 aswFW;avast! TDI Firewall driver; [x]
    S1 aswKbd;aswKbd; [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-15 202752]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-06-28 71064]
    S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [2012-06-28 133912]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 Giraffic;Veoh Giraffic Video Accelerator;c:\program files (x86)\Giraffic\Veoh_GirafficWatchdog.exe [2012-01-22 2230416]
    S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
    S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 14112]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-04-06 258928]
    S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-03-15 6403072]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-03-15 188928]
    S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-02-13 292864]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 24904]
    S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-01-12 325152]
    S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2010-04-28 932384]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-01 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 19:25]
    .
    2012-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-23 00:58]
    .
    2012-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-23 00:58]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-06-28 12:51 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "NCInstallQueue"="netman.dll" [2009-07-14 360448]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\progra~2\SEARCH~1\SEARCH~1\x64\datamngr.dll c:\progra~2\SEARCH~1\SEARCH~1\x64\IEBHO.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local;<local>
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    FF - ProfilePath - c:\users\slhbabydoll98\AppData\Roaming\Mozilla\Firefox\Profiles\9155nu8m.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-10 - (no file)
    Toolbar-!{cd90bf73-20f6-44ef-993d-bb920303bd2e} - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
    "ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:19,37,7c,1a,a6,06,cd,01
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,fc,19,60,09,16,60,4f,9e,32,06,\
    .
    [HKEY_USERS\S-1-5-21-3603554640-817227373-1043472641-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"
    .
    [HKEY_USERS\S-1-5-21-3603554640-817227373-1043472641-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\DbgagD\1*]
    "value"="?\05\03\12\05\1d)?"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files (x86)\Giraffic\Veoh_Giraffic.exe
    c:\program files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-01 15:14:42 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-01 19:14
    ComboFix2.txt 2012-07-01 18:45
    ComboFix3.txt 2012-07-01 02:14
    ComboFix4.txt 2012-06-30 05:13
    ComboFix5.txt 2012-07-01 18:54
    .
    Pre-Run: 246,690,889,728 bytes free
    Post-Run: 246,500,855,808 bytes free
    .
    - - End Of File - - CE2EA462D1E7F90974C35DA86E2730E5
     
  3. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Much better.

    Malwarebytes

    I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
    ----------

    Please run a free online scan with the ESET Online Scanner
    Note: You will need to use Internet Explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
    ----------

    In your next reply please post the logs made by Malwarebytes and ESET online scanner. :)
     
  4. slhtarheelfan02

    slhtarheelfan02 Thread Starter

    Joined:
    Jun 20, 2012
    Messages:
    42
    Here is malwarebytes log


    Malwarebytes Anti-Malware (PRO) 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.07.01.08
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    slhbabydoll98 :: TARHEELFAN02 [administrator]
    Protection: Enabled
    7/1/2012 3:59:57 PM
    mbam-log-2012-07-01 (15-59-57).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 208662
    Time elapsed: 3 minute(s), 39 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)


    Here is the Eset Online Scanner long


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner64.ocx - registred OK
    OnlineScanner.ocx - registred OK
     
  5. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Looks good.

    How is your system running? :)
     
  6. slhtarheelfan02

    slhtarheelfan02 Thread Starter

    Joined:
    Jun 20, 2012
    Messages:
    42
    Systems been running really good for the last couple of days, every since we first started running combofix.
     
  7. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Glad to hear it's running better. :)

    Let's get some updates...

    You have an older version of Adobe Reader. You can download the current version HERE

    You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

    Visit their support forum
    Foxit Forum

    In either case you should uninstall Adobe Reader 9.3 first. Be sure to move any PDF documents to another folder first though.
    ----------

    Please download JavaRa to your desktop and unzip it to its own
    folder
    • Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
      click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest
      Java Runtime Environment (JRE) version for your computer.
    ----------

    Please do the following:

    Hold down the Windows key and press R to open a run box
    type the following text into the run box

    appwiz.cpl

    This will open your Programs And Features. A list of installed programs will populate

    Remove the following programs (if still present):

    Ask Toolbar Updater
    iLivid

    ----------

    In your next reply please let me know if you have problems with the instructions above and if you have any more malware related problems. :)
     
  8. slhtarheelfan02

    slhtarheelfan02 Thread Starter

    Joined:
    Jun 20, 2012
    Messages:
    42
    Updated adobe reader and java runtime environment. I had problems uninstalling ask toolbar updater and iLivid. When i tried to uninstall ask toolbar updater, i got a message that said "You do not have sufficient access to uninstall ask toolbar updater. Please contact your system administrator"

    And when I try to uninstall iLivid, it goes through the process and uninstallation complete but iLivid is still on computer even after I reboot.
     
  9. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Ok....

    See if you are able to get OTL to run through completely. If you are please post the logs created. :)
     
  10. slhtarheelfan02

    slhtarheelfan02 Thread Starter

    Joined:
    Jun 20, 2012
    Messages:
    42
    No, still won't run thru, says not responding when it starts scanning firefox settings.
     
  11. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Sorry for any delay. I was speaking with the creator of OTL about this. What version of OTL are you using? To find out you can just open OTL and at the top you will see "OTL by Old Timer - Version ********"
     
  12. slhtarheelfan02

    slhtarheelfan02 Thread Starter

    Joined:
    Jun 20, 2012
    Messages:
    42
    Version 3.2.53.0
     
  13. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Ok...that version is outdated.

    Please delete your copy of OTL and the download a fresh copy. Once downloaded try to run OTL through again. :)
     
  14. slhtarheelfan02

    slhtarheelfan02 Thread Starter

    Joined:
    Jun 20, 2012
    Messages:
    42
    Still doing the same thing. This new one is version 3.2.53.1
     
  15. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Let's go about this another way. :)

    Download Revo Uninstaller
    • Double click the installation file on the desktop to run the installer.
    • Let it install to the default location.
    • Double click the new Revo Uninstaller Icon on the desktop to start the program.
    You will now see a list of installed programs that Revo Uninstaller can remove.
    • Locate the program you are uninstalling Ask Toolbar Updater
    • Right Click the Icon then choose Uninstall.
    • Click yes to the warning and choose the Uninstall Mode
    • Choose the Advanced option and then click Next.
    • This will launch the programs built in uninstaller. Be patient it can take several seconds.
    • Once the uninstaller is done click Next.
    • Revo Uninstaller will now scan for leftover information. Be patient it can take several seconds.
    • Once this scan is done click Next.
    • You will then be presented of the leftover entries found by Revo Uninstaller
    • Look at ALL of the entries to ensure they relate to the uninstall.
    • Next click Select All > Delete to remove the entries.
    • Click Next.
    • If there are any program file folders left over you will be presented with a list to be removed.
    • Again look at ALL of the entries to ensure they are related to the uninstall.
    • Click Select All > Delete to remove the entries.
    • Click Finish to go back to the uninstall list.
    • Close the program

    Once done removing the Ask Toolbar Updater, please do the same steps for iLivid. :) Let me know when you get that completed and if you have any problems.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1057928