1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

System32\service.exe infected

Discussion in 'Virus & Other Malware Removal' started by jvricker, Jul 27, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. jvricker

    jvricker Thread Starter

    Joined:
    Jul 27, 2012
    Messages:
    10
    Rootkit detection was found by Malwarebytes. I am not savvy enough to clean this infection off by myself and I need help/advice on what to do. I have downloaded several tools to help me run logs, if you could please help.

    Malwarebytes listed:
    Trojan.0access
    Rootkit.Zaccess
    Trojean.Dropper.BCMiner

    I've downloaded HiJackThis, aswMBR, OTL, erunt, and ComboFix. Just let me know where I need to start.

    Thanks sooooo much,
    Jen
     
  2. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Thanks for the friend add. :) Do Not run ComboFix yet!!

    Please download DDS from either of these links

    LINK 1
    LINK 2

    and save it to your desktop.
    • Disable any script blocking protection
    • Right-click and Run as Administrator dds to run the tool.
    • When done, two DDS.txt's will open.
    • Save both reports to your desktop.
    ---------------------------------------------------
    Please include the contents of the following in your next reply:

    DDS.txt

    Attach.txt
    ----------

    Oh.... go ahead and run aswMBR.exe as well. :)
     
  3. jvricker

    jvricker Thread Starter

    Joined:
    Jul 27, 2012
    Messages:
    10
    I'm so happy to hear from you, I'm dancing in my seat!!!!! :D Okay, the log files are below:

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421
    Run by Jan at 15:01:00 on 2012-07-28
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1538 [GMT -5:00]
    .
    AV: Charter Security Suite 9.01 *Enabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}
    SP: Charter Security Suite 9.01 *Enabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: Charter Security Suite 9.01 *Enabled* {2D7AC0A6-6241-D774-E168-461178D9686C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
    C:\Windows\system32\svchost.exe -k HPService
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\RtHDVCpl.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    C:\Program Files\Toshiba\SmoothView\SmoothView.exe
    C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
    C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    "C:\Windows\System32\svchost.exe" -k LocalServiceDns
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
    mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
    uURLSearchHooks: Productivity 3 Toolbar: {1fca4df8-9acd-4dfb-89cc-ddd0082fc588} - c:\program files\productivity_3\prxtbProd.dll
    uURLSearchHooks: FCToolbarURLSearchHook Class: {f78bf7a8-cf12-4de7-a6da-c463d1b539a7} - c:\program files\dogpile bundle toolbar\Helper.dll
    uURLSearchHooks: H - No File
    mURLSearchHooks: Productivity 3 Toolbar: {1fca4df8-9acd-4dfb-89cc-ddd0082fc588} - c:\program files\productivity_3\prxtbProd.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Productivity 3 Toolbar: {1fca4df8-9acd-4dfb-89cc-ddd0082fc588} - c:\program files\productivity_3\prxtbProd.dll
    BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
    BHO: {AB6BD08C-DB6B-4F02-8A22-4BD343E990FF} - No File
    BHO: Dogpile Bundle Toolbar BHO: {bfe4b5cb-63f7-4a51-9266-6167655d5b4f} - c:\program files\dogpile bundle toolbar\Toolbar.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    TB: Productivity 3 Toolbar: {1fca4df8-9acd-4dfb-89cc-ddd0082fc588} - c:\program files\productivity_3\prxtbProd.dll
    TB: Dogpile Bundle Toolbar: {c80bdeb2-8735-44c6-bd55-a1ccd555667a} - c:\program files\dogpile bundle toolbar\Toolbar.dll
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [PCMAgent] "c:\program files\cyberlink\powercinema for toshiba\PCMAgent.exe"
    mRun: [CLMLServer] "c:\program files\cyberlink\powercinema for toshiba\kernel\clml\CLMLSvc.exe"
    mRun: [hpqSRMon]
    mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3
    TCP: Interfaces\{29971CE0-ED76-4A76-86C2-217595A139F4} : DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3
    TCP: Interfaces\{A5C99F56-B3D7-4AA5-85F5-FAC5A2FB6429} : DhcpNameServer = 192.168.2.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\jan\appdata\roaming\mozilla\firefox\profiles\igvng1dw.default\
    FF - prefs.js: browser.startup.homepage - hxxp://google.com
    FF - plugin: c:\program files\epicplay\npEpicHost.dll
    FF - plugin: c:\program files\gamingwonderlandei\installr\1.bin\NPgtEISb.dll
    FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-7-10 40960]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-8-14 46392]
    R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-8-14 7168]
    R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-28 3658752]
    R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-7-27 113120]
    S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-8-20 9216]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-07-28 01:06:09 -------- d-----w- c:\programdata\036DFF850000F549004A1E292F3B707C
    2012-07-28 01:05:21 56832 ---ha-w- c:\windows\system32\dfrgasrv.dll
    2012-07-27 23:42:42 -------- d-----w- c:\users\jan\appdata\roaming\Malwarebytes
    2012-07-27 23:42:28 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-27 23:42:26 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-27 23:42:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-07-27 22:40:52 -------- d-----w- c:\users\jan\appdata\local\Productivity_3
    2012-07-24 04:06:04 -------- d-----w- c:\program files\AVG
    2012-07-24 04:03:53 -------- d--h--w- c:\programdata\Common Files
    2012-07-24 04:03:53 -------- d-----w- c:\programdata\MFAData
    2012-07-23 23:45:51 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-07-23 23:45:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-07-23 23:29:53 -------- d-----w- c:\programdata\GFI Software
    2012-07-23 09:27:55 -------- d-----w- c:\program files\CCleaner
    2012-07-23 02:39:24 -------- d-----w- c:\program files\Ad-Aware Antivirus
    2012-07-23 02:39:05 -------- d-----w- c:\users\jan\appdata\local\Downloaded Installations
    2012-07-23 02:38:09 -------- d-----w- c:\users\jan\appdata\roaming\Ad-Aware Antivirus
    2012-07-14 02:44:16 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-13 21:24:22 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 03:14:32 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
    2012-07-11 03:14:28 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-11 03:14:28 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-11 03:14:25 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-11 03:14:24 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-07-11 03:14:24 204288 ----a-w- c:\windows\system32\ncrypt.dll
    .
    ==================== Find3M ====================
    .
    2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 20:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 20:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
    2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
    2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-05-01 14:03:49 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    ============= FINISH: 15:07:05.84 ===============



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/2/2008 9:17:35 PM
    System Uptime: 7/28/2012 2:14:03 PM (1 hours ago)
    .
    Motherboard: TOSHIBA | | Portable PC
    Processor: Intel(R) Core(TM)2 Duo CPU T6400 @ 2.00GHz | CPU | 1600/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 290 GiB total, 211.46 GiB free.
    D: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    7-Zip 9.21
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.3
    ArcadeCandy
    Bejeweled 3
    Belkin Setup and Router Monitor
    Big Fish Games: Game Manager
    Bluetooth Stack for Windows by Toshiba
    BufferChm
    C4580
    C4580_Help
    Camera Assistant Software for Toshiba
    Cards_Calendar_OrderGift_DoMorePlugout
    CCleaner
    CD/DVD Drive Acoustic Silencer
    CustomerResearchQFolder
    CyberLink PowerCinema for TOSHIBA
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DocProc
    DocProcQFolder
    Dogpile Bundle Toolbar
    DVD MovieFactory for TOSHIBA
    ERUNT 1.1j
    eSupportQFolder
    Full Tilt Poker
    GearDrvs
    Geek Squad 24 Hour Computer Support
    GPBaseService
    GPBaseService2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Customer Participation Program 11.0
    HP Imaging Device Functions 11.0
    HP Photosmart C4500 All-In-One Driver Software 11.0 Rel .4
    HP Photosmart Essential 2.5
    HP Photosmart Essential 3.0
    HP Smart Web Printing
    HP Solution Center 13.0
    HP Update
    HPPhotoSmartPhotobookWebPack1
    HPProductAssistant
    HPSSupply
    Intel PROSet Wireless
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless WiFi Software
    Intel® Matrix Storage Manager
    Java(TM) 6 Update 6
    Malwarebytes Anti-Malware version 1.62.0.1300
    MarketResearch
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft XML Parser
    Mozilla Firefox 14.0.1 (x86 en-US)
    Mozilla Maintenance Service
    MSVCSetup
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Network
    OCR Software by I.R.I.S. 11.0
    PanoStandAlone
    Productivity 3 Toolbar
    PS_AIO_04_C4580_ProductContext
    PS_AIO_04_C4580_Software
    PS_AIO_04_C4580_Software_Min
    PSSWCORE
    Realtek 8169 8168 8101E 8102E Ethernet Driver
    Realtek High Definition Audio Driver
    RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Windows Media Encoder (KB2447961)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Encoder (KB979332)
    Shop for HP Supplies
    Skype™ 5.8
    SmartWebPrinting
    SolutionCenter
    Spybot - Search & Destroy
    Status
    Synaptics Pointing Device Driver
    Toolbox
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Desktop Links
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Face Recognition
    TOSHIBA Hardware Setup
    TOSHIBA PowerCinema Helper
    TOSHIBA Recovery Disc Creator
    Toshiba Registration
    TOSHIBA SD Memory Utilities
    TOSHIBA Service Station
    TOSHIBA Software Modem
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    TrayApp
    UnloadSupport
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Vegas Penny Slots
    VideoToolkit01
    WebReg
    Windows Media Encoder 9 Series
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/28/2012 2:16:15 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
    7/28/2012 2:16:15 PM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
    7/28/2012 2:14:53 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    7/28/2012 2:14:53 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    7/28/2012 2:14:53 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    7/27/2012 8:44:30 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE spldr Wanarpv6
    7/27/2012 8:44:30 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    7/27/2012 8:44:00 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    7/27/2012 8:43:59 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    7/27/2012 8:43:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    7/27/2012 8:43:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    7/27/2012 8:43:46 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    7/27/2012 8:43:30 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 21
    7/27/2012 8:43:04 PM, Error: EventLog [6008] - The previous system shutdown at 8:41:31 PM on 7/27/2012 was unexpected.
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 2 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The Ulead Burning Helper service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The TOSHIBA SMART Log Service service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The TOSHIBA Power Saver service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The TOSHIBA Optical Disc Drive Service service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The TOSHIBA Navi Support Service service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The TOSHIBA Bluetooth Service service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The TMachInfo service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The SmartFaceVWatchSrv service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The Intel® PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The Intel® PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The ConfigFree Service service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7034] - The AffinegyService service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:41:07 PM, Error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    7/27/2012 8:22:53 PM, Error: EventLog [6008] - The previous system shutdown at 8:21:41 PM on 7/27/2012 was unexpected.
    7/27/2012 8:20:49 PM, Error: Service Control Manager [7034] - The Intel® PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:20:49 PM, Error: Service Control Manager [7034] - The Intel® PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:17:57 PM, Error: EventLog [6008] - The previous system shutdown at 8:17:02 PM on 7/27/2012 was unexpected.
    7/27/2012 8:09:02 PM, Error: Service Control Manager [7034] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 3 time(s).
    7/27/2012 8:08:32 PM, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    7/27/2012 8:08:02 PM, Error: Service Control Manager [7034] - The Intel® PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:08:02 PM, Error: Service Control Manager [7034] - The Intel® PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
    7/27/2012 8:08:02 PM, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    7/24/2012 12:29:34 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 24.177.117.138 for the Network Card with network address 001E338E389D has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
    7/23/2012 7:54:29 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
    7/23/2012 7:51:10 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume SQ004829V03.
    7/23/2012 7:40:58 AM, Error: EventLog [6008] - The previous system shutdown at 7:38:30 AM on 7/23/2012 was unexpected.
    7/23/2012 6:21:23 PM, Error: F-Secure Gatekeeper [1] -
    7/23/2012 6:16:44 PM, Error: EventLog [6008] - The previous system shutdown at 6:10:52 PM on 7/23/2012 was unexpected.
    7/23/2012 10:39:41 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: bfe. This service might not be installed.
    7/23/2012 10:39:41 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: bfe. This service might not be installed.
    7/22/2012 9:51:30 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Font Cache Service service to connect.
    7/22/2012 9:51:30 PM, Error: Service Control Manager [7000] - The Windows Font Cache Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-07-28 15:11:34
    -----------------------------
    15:11:34.296 OS Version: Windows 6.0.6002 Service Pack 2
    15:11:34.296 Number of processors: 2 586 0x170A
    15:11:34.297 ComputerName: JAN-PC UserName: Jan
    15:11:36.025 Initialize success
    15:11:42.900 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    15:11:42.903 Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
    15:11:42.920 Disk 0 MBR read successfully
    15:11:42.926 Disk 0 MBR scan
    15:11:42.930 Disk 0 Windows VISTA default MBR code
    15:11:42.945 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
    15:11:42.962 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 296479 MB offset 3074048
    15:11:42.993 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 7265 MB offset 610263040
    15:11:43.001 Disk 0 scanning sectors +625141760
    15:11:43.082 Disk 0 scanning C:\Windows\system32\drivers
    15:11:48.351 Service scanning
    15:12:00.327 Modules scanning
    15:12:03.950 Disk 0 trace - called modules:
    15:12:03.976 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
    15:12:03.981 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x863b0478]
    15:12:03.986 3 CLASSPNP.SYS[8a30f8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85475028]
    15:12:03.991 Scan finished successfully
    15:12:08.985 Disk 0 MBR has been saved successfully to "C:\Users\Jan\Desktop\MBR.dat"
    15:12:08.990 The log file has been saved successfully to "C:\Users\Jan\Desktop\aswMBR.txt"
     
  4. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    :D
    --------

    **WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

    Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

    If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

    If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. :)
    ----------

    Download Combofix from the link below, and save it to your desktop.
    Link

    **Note: It is important that it is saved directly to your desktop**
    If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


    --------------------------------------------------------------------

    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    --------------------------------------------------------------------

    Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt for further review.
    ----------
     
  5. jvricker

    jvricker Thread Starter

    Joined:
    Jul 27, 2012
    Messages:
    10
    I was finally able to get ComboFix to scan and run the report. Here it is:


    ComboFix 12-07-27.03 - Jan 07/28/2012 15:54:22.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1526 [GMT -5:00]
    Running from: c:\users\Jan\Desktop\ComboFix.exe
    AV: Charter Security Suite 9.01 *Enabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}
    FW: Charter Security Suite 9.01 *Enabled* {2D7AC0A6-6241-D774-E168-461178D9686C}
    SP: Charter Security Suite 9.01 *Enabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Roaming
    c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
    c:\users\Jan\AppData\Local\{d02e8adc-75a0-3ee2-0894-affbd6f74980}
    c:\users\Jan\AppData\Local\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\@
    c:\users\Jan\AppData\Local\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\n
    c:\users\Jan\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
    c:\windows\assembly\GAC\Desktop.ini
    c:\windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}
    c:\windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\@
    c:\windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\L\00000004.@
    c:\windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\L\1afb2d56
    c:\windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\L\201d3dde
    c:\windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\U\00000004.$.uss_dis
    c:\windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\U\00000004.@
    c:\windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\U\00000008.@
    c:\windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\U\000000cb.$.uss_dis
    c:\windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\U\000000cb.@
    c:\windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\U\80000000.@
    c:\windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\U\80000032.@
    c:\windows\system32\drivers\etc\lmhosts
    c:\windows\system32\pt
    c:\windows\system32\pt\smartfacevcp.dll.mui
    c:\windows\system32\pt\toscdspd.cpl.mui
    .
    Infected copy of c:\windows\system32\services.exe was found and disinfected
    Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy7_!Windows!System32!services.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-28 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-28 03:03 . 2012-07-28 03:03 -------- d-----w- c:\program files\ERUNT
    2012-07-28 01:06 . 2012-07-28 01:08 -------- d-----w- c:\programdata\036DFF850000F549004A1E292F3B707C
    2012-07-28 01:05 . 2012-07-28 01:05 56832 ---ha-w- c:\windows\system32\dfrgasrv.dll
    2012-07-27 23:42 . 2012-07-27 23:42 -------- d-----w- c:\users\Jan\AppData\Roaming\Malwarebytes
    2012-07-27 23:42 . 2012-07-27 23:42 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-27 23:42 . 2012-07-27 23:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-07-27 23:42 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-23 09:27 . 2012-07-23 09:28 -------- d-----w- c:\program files\CCleaner
    2012-07-23 02:39 . 2012-07-23 02:39 -------- d-----w- c:\programdata\Lavasoft
    2012-07-23 02:39 . 2012-07-23 23:29 -------- d-----w- c:\program files\Ad-Aware Antivirus
    2012-07-23 02:39 . 2012-07-23 02:39 -------- d-----w- c:\users\Jan\AppData\Local\Downloaded Installations
    2012-07-23 02:38 . 2012-07-23 23:26 -------- d-----w- c:\users\Jan\AppData\Roaming\Ad-Aware Antivirus
    2012-07-14 02:44 . 2012-07-14 02:44 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-13 21:24 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 03:14 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2012-07-11 03:14 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-11 03:14 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-11 03:14 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-11 03:14 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-07-11 03:14 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-02 22:19 . 2012-06-21 05:09 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 05:09 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 05:09 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 05:09 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 05:09 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 05:09 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 05:09 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 20:19 . 2012-06-21 05:09 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 20:12 . 2012-06-21 05:09 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-01 14:03 . 2012-06-16 03:26 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-14 00:17 . 2012-07-27 23:38 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}"= "c:\program files\Productivity_3\prxtbProd.dll" [2011-05-09 176936]
    "{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}"= "c:\program files\Dogpile Bundle Toolbar\Helper.dll" [2011-10-01 361472]
    .
    [HKEY_CLASSES_ROOT\clsid\{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}]
    .
    [HKEY_CLASSES_ROOT\clsid\{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}]
    [HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
    [HKEY_CLASSES_ROOT\TypeLib\{C766F9AD-E91E-43DE-91DC-D007680ED4AF}]
    [HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}]
    2011-05-09 09:49 176936 ----a-w- c:\program files\Productivity_3\prxtbProd.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFE4B5CB-63F7-4A51-9266-6167655D5B4F}]
    2011-10-01 01:34 1604096 ----a-w- c:\program files\Dogpile Bundle Toolbar\Toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}"= "c:\program files\Productivity_3\prxtbProd.dll" [2011-05-09 176936]
    "{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"= "c:\program files\Dogpile Bundle Toolbar\Toolbar.dll" [2011-10-01 1604096]
    .
    [HKEY_CLASSES_ROOT\clsid\{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}]
    .
    [HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
    [HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
    [HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{1FCA4DF8-9ACD-4DFB-89CC-DDD0082FC588}"= "c:\program files\Productivity_3\prxtbProd.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
    "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
    "ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
    "PCMAgent"="c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
    "CLMLServer"="c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
    "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
    2008-07-31 23:26 417792 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToshibaServiceStation]
    2008-08-04 21:46 1242424 ----a-w- c:\program files\Toshiba\TOSHIBA Service Station\TSS.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    TCP: DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3
    FF - ProfilePath - c:\users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\igvng1dw.default\
    FF - prefs.js: browser.startup.homepage - hxxp://google.com
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    HKLM-Run-hpqSRMon - (no file)
    MSConfigStartUp-cfFncEnabler - cfFncEnabler.exe
    MSConfigStartUp-F-Secure Manager - c:\program files\Charter Security Suite\Common\FSM32.EXE
    MSConfigStartUp-F-Secure TNB - c:\program files\Charter Security Suite\FSGUI\TNBUtil.exe
    MSConfigStartUp-SBRegRebootCleaner - c:\program files\Ad-Aware Antivirus\SBRC.exe
    AddRemove-{6A2EF989-A524-48bf-985F-9D076B334980} - c:\users\Jan\AppData\Local\ArcadeCandy\candyRemove.exe
    .
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\WLANExt.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\RtHDVCpl.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-07-28 16:08:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-28 21:08
    .
    Pre-Run: 227,587,530,752 bytes free
    Post-Run: 227,615,805,440 bytes free
    .
    - - End Of File - - 51B78AFD94DA3889B1838F591F0DEFF6
     
  6. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi there,

    Good job getting that ran. :)

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      ClearJavaCache::
      
      File::
      c:\windows\system32\dfrgasrv.dll
      c:\program files\Productivity_3\prxtbProd.dll
      
      Registry::
      [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
      "{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}"=-
      "{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}"=-
      [-HKEY_CLASSES_ROOT\clsid\{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}]
      [-HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
      [-HKEY_CLASSES_ROOT\TypeLib\{C766F9AD-E91E-43DE-91DC-D007680ED4AF}]
      [-HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
      [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
      "{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}"=-
      "{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"=-
      [-HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
      [-HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.1]
      [-HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
      [-HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]
      [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
      "{1FCA4DF8-9ACD-4DFB-89CC-DDD0082FC588}"=-
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------
     
  7. jvricker

    jvricker Thread Starter

    Joined:
    Jul 27, 2012
    Messages:
    10
    Hey again. :eek: While I was waiting to hear back, I ran Malwarebytes and ComboFix again. Sorry for my impatience. Maybe I shouldn't have done that, but here is the last report from ComboFix, in case that changes your instructions for me any:

    ComboFix 12-07-29.02 - Jan 07/29/2012 11:29:49.4.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1766 [GMT -5:00]
    Running from: c:\users\Jan\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Jan\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-29 16:34 . 2012-07-29 16:34 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-29 02:52 . 2012-07-29 16:27 -------- d-----w- c:\users\Jan\Jens Tools
    2012-07-29 01:05 . 2012-05-08 23:35 29528 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
    2012-07-29 01:05 . 2012-07-29 01:05 -------- d-----w- c:\program files\Application Updater
    2012-07-29 01:05 . 2012-07-29 01:05 -------- d-----w- c:\program files\IObit Toolbar
    2012-07-29 01:05 . 2012-07-29 01:05 -------- d-----w- c:\program files\Common Files\Spigot
    2012-07-29 01:05 . 2012-07-29 01:05 -------- d-----w- c:\users\Jan\AppData\Roaming\IObit
    2012-07-29 01:05 . 2010-11-26 23:02 15672 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
    2012-07-29 01:05 . 2012-07-29 01:05 -------- d-----w- c:\program files\IObit
    2012-07-29 00:57 . 2012-07-29 00:57 -------- d-----w- c:\users\Jan\AppData\Roaming\AVG2012
    2012-07-29 00:56 . 2012-07-29 00:56 -------- d-----w- c:\users\Jan\AppData\Local\AVG Secure Search
    2012-07-29 00:56 . 2012-07-29 00:56 -------- d-----w- c:\programdata\AVG Secure Search
    2012-07-29 00:56 . 2012-07-29 00:56 27496 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2012-07-29 00:56 . 2012-07-29 00:56 -------- d-----w- c:\program files\Common Files\AVG Secure Search
    2012-07-29 00:56 . 2012-07-29 00:56 -------- d-----w- c:\program files\AVG Secure Search
    2012-07-29 00:55 . 2012-07-29 00:55 -------- d-----w- C:\$AVG
    2012-07-29 00:55 . 2012-07-29 01:10 -------- d-----w- c:\programdata\AVG2012
    2012-07-29 00:55 . 2012-07-29 00:59 -------- d-----w- c:\windows\system32\drivers\AVG
    2012-07-28 03:03 . 2012-07-28 03:03 -------- d-----w- c:\program files\ERUNT
    2012-07-28 01:06 . 2012-07-28 01:08 -------- d-----w- c:\programdata\036DFF850000F549004A1E292F3B707C
    2012-07-28 01:05 . 2012-07-28 01:05 56832 ---ha-w- c:\windows\system32\dfrgasrv.dll
    2012-07-27 23:42 . 2012-07-27 23:42 -------- d-----w- c:\users\Jan\AppData\Roaming\Malwarebytes
    2012-07-27 23:42 . 2012-07-27 23:42 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-27 23:42 . 2012-07-27 23:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-07-27 23:42 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-23 09:27 . 2012-07-23 09:28 -------- d-----w- c:\program files\CCleaner
    2012-07-23 02:39 . 2012-07-23 02:39 -------- d-----w- c:\programdata\Lavasoft
    2012-07-23 02:39 . 2012-07-23 23:29 -------- d-----w- c:\program files\Ad-Aware Antivirus
    2012-07-23 02:39 . 2012-07-23 02:39 -------- d-----w- c:\users\Jan\AppData\Local\Downloaded Installations
    2012-07-23 02:38 . 2012-07-23 23:26 -------- d-----w- c:\users\Jan\AppData\Roaming\Ad-Aware Antivirus
    2012-07-14 02:44 . 2012-07-14 02:44 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-13 21:24 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 03:14 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2012-07-11 03:14 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-11 03:14 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-11 03:14 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-11 03:14 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-07-11 03:14 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-02 22:19 . 2012-06-21 05:09 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 05:09 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 05:09 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 05:09 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 05:09 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 05:09 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 05:09 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 20:19 . 2012-06-21 05:09 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 20:12 . 2012-06-21 05:09 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-01 14:03 . 2012-06-16 03:26 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-14 00:17 . 2012-07-27 23:38 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}"= "c:\program files\Productivity_3\prxtbProd.dll" [2011-05-09 176936]
    "{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}"= "c:\program files\Dogpile Bundle Toolbar\Helper.dll" [2011-10-01 361472]
    .
    [HKEY_CLASSES_ROOT\clsid\{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}]
    .
    [HKEY_CLASSES_ROOT\clsid\{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}]
    [HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
    [HKEY_CLASSES_ROOT\TypeLib\{C766F9AD-E91E-43DE-91DC-D007680ED4AF}]
    [HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}]
    2011-05-09 09:49 176936 ----a-w- c:\program files\Productivity_3\prxtbProd.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-07-29 00:56 2086496 ----a-w- c:\program files\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFE4B5CB-63F7-4A51-9266-6167655D5B4F}]
    2011-10-01 01:34 1604096 ----a-w- c:\program files\Dogpile Bundle Toolbar\Toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}"= "c:\program files\Productivity_3\prxtbProd.dll" [2011-05-09 176936]
    "{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"= "c:\program files\Dogpile Bundle Toolbar\Toolbar.dll" [2011-10-01 1604096]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll" [2012-07-29 2086496]
    .
    [HKEY_CLASSES_ROOT\clsid\{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}]
    .
    [HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
    [HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
    [HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{1FCA4DF8-9ACD-4DFB-89CC-DDD0082FC588}"= "c:\program files\Productivity_3\prxtbProd.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
    "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
    "ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
    "PCMAgent"="c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
    "CLMLServer"="c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
    "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 81920]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
    2008-07-31 23:26 417792 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
    2012-07-27 00:52 1095560 ----a-w- c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToshibaServiceStation]
    2008-08-04 21:46 1242424 ----a-w- c:\program files\Toshiba\TOSHIBA Service Station\TSS.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vProt]
    2012-07-29 00:56 1147488 ----a-w- c:\program files\AVG Secure Search\vprot.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    TCP: DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\12.1.5\ViProtocol.dll
    FF - ProfilePath - c:\users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\igvng1dw.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://google.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=642886&p=
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-29 11:37
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\WLANExt.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Application Updater\ApplicationUpdater.exe
    c:\program files\AVG\AVG2012\avgwdsvc.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\12.1.5\ToolbarUpdater.exe
    c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
    c:\windows\RtHDVCpl.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-07-29 11:40:33 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-29 16:40
    ComboFix2.txt 2012-07-29 02:51
    ComboFix3.txt 2012-07-28 22:23
    ComboFix4.txt 2012-07-28 21:08
    .
    Pre-Run: 225,963,782,144 bytes free
    Post-Run: 225,692,704,768 bytes free
    .
    - - End Of File - - 9AB1BDEBFD48EB22BD153FC19D268D8B
     
  8. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    :) Yeah please don't do that. You may remove something that I needed to see and it may take longer to figure things out.
    -------

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      ClearJavaCache::
      
      DDS::
      uURLSearchHooks: Productivity 3 Toolbar: {1fca4df8-9acd-4dfb-89cc-ddd0082fc588} - c:\program files\productivity_3\prxtbProd.dll
      uURLSearchHooks: FCToolbarURLSearchHook Class: {f78bf7a8-cf12-4de7-a6da-c463d1b539a7} - c:\program files\dogpile bundle toolbar\Helper.dll
      uURLSearchHooks: H - No File
      mURLSearchHooks: Productivity 3 Toolbar: {1fca4df8-9acd-4dfb-89cc-ddd0082fc588} - c:\program files\productivity_3\prxtbProd.dll
      BHO: Productivity 3 Toolbar: {1fca4df8-9acd-4dfb-89cc-ddd0082fc588} - c:\program files\productivity_3\prxtbProd.dll
      BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File
      BHO: {AB6BD08C-DB6B-4F02-8A22-4BD343E990FF} - No File
      BHO: Dogpile Bundle Toolbar BHO: {bfe4b5cb-63f7-4a51-9266-6167655d5b4f} - c:\program files\dogpile bundle toolbar\Toolbar.dll
      TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
      TB: Productivity 3 Toolbar: {1fca4df8-9acd-4dfb-89cc-ddd0082fc588} - c:\program files\productivity_3\prxtbProd.dll
      TB: Dogpile Bundle Toolbar: {c80bdeb2-8735-44c6-bd55-a1ccd555667a} - c:\program files\dogpile bundle toolbar\Toolbar.dll
      
      File::
      c:\windows\system32\dfrgasrv.dll
      c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
      
      Folder::
      c:\program files\IObit Toolbar
      c:\users\Jan\AppData\Roaming\IObit
      c:\program files\IObit
      
      Registry::
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
      "{1fca4df8-9acd-4dfb-89cc-ddd0082fc588}"=-
      "{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"=-
      [-HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
      [-HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.1]
      [-HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
      [-HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]
      [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
      "{1FCA4DF8-9ACD-4DFB-89CC-DDD0082FC588}"=-
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------
     
  9. jvricker

    jvricker Thread Starter

    Joined:
    Jul 27, 2012
    Messages:
    10
    I apologize for jumping the gun. :( I won't do anything else unless you instruct me to. Here is the latest report:

    ComboFix 12-07-29.02 - Jan 07/29/2012 12:59:29.5.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1771 [GMT -5:00]
    Running from: c:\users\Jan\Desktop\ComboFix.exe
    Command switches used :: c:\users\Jan\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe"
    "c:\windows\system32\dfrgasrv.dll"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
    c:\program files\dogpile bundle toolbar\Toolbar.dll
    c:\program files\IObit Toolbar
    c:\program files\IObit Toolbar\FF\chrome.manifest
    c:\program files\IObit Toolbar\FF\chrome\chrome.jar
    c:\program files\IObit Toolbar\FF\install.rdf
    c:\program files\IObit Toolbar\IE\6.2\config.ini
    c:\program files\IObit Toolbar\IE\6.2\iobitToolbarIE.dll
    c:\program files\IObit Toolbar\Res\amazon.gif
    c:\program files\IObit Toolbar\Res\ebay.gif
    c:\program files\IObit Toolbar\Res\facebook.gif
    c:\program files\IObit Toolbar\Res\googleplus.gif
    c:\program files\IObit Toolbar\Res\icon_settings.gif
    c:\program files\IObit Toolbar\Res\iobit_logo.gif
    c:\program files\IObit Toolbar\Res\iobit_logo_hover.gif
    c:\program files\IObit Toolbar\Res\Lang\res1031.ini
    c:\program files\IObit Toolbar\Res\Lang\res1033.ini
    c:\program files\IObit Toolbar\Res\Lang\res1034.ini
    c:\program files\IObit Toolbar\Res\Lang\res1036.ini
    c:\program files\IObit Toolbar\Res\Lang\res1040.ini
    c:\program files\IObit Toolbar\Res\radio-close.gif
    c:\program files\IObit Toolbar\Res\radio-minimize.gif
    c:\program files\IObit Toolbar\Res\radiobeta.gif
    c:\program files\IObit Toolbar\Res\search-button-hover.gif
    c:\program files\IObit Toolbar\Res\search-button.gif
    c:\program files\IObit Toolbar\Res\search-chevron-hover.gif
    c:\program files\IObit Toolbar\Res\search-chevron.gif
    c:\program files\IObit Toolbar\Res\search_amazon.gif
    c:\program files\IObit Toolbar\Res\search_baidu.gif
    c:\program files\IObit Toolbar\Res\search_ebay.gif
    c:\program files\IObit Toolbar\Res\search_yahoo.gif
    c:\program files\IObit Toolbar\Res\search_yandex.gif
    c:\program files\IObit Toolbar\Res\security.gif
    c:\program files\IObit Toolbar\Res\system.gif
    c:\program files\IObit Toolbar\Res\twitter.gif
    c:\program files\IObit Toolbar\Res\widgets.xml
    c:\program files\IObit Toolbar\WidgiHelper.exe
    c:\program files\IObit
    c:\program files\IObit\Smart Defrag 2\drivers\win7_x64\SmartDefragBootTime.exe
    c:\program files\IObit\Smart Defrag 2\drivers\win7_x64\SmartDefragDriver.sys
    c:\program files\IObit\Smart Defrag 2\drivers\win7_x86\SmartDefragBootTime.exe
    c:\program files\IObit\Smart Defrag 2\drivers\win7_x86\SmartDefragDriver.sys
    c:\program files\IObit\Smart Defrag 2\drivers\win8_x64\SmartDefragBootTime.exe
    c:\program files\IObit\Smart Defrag 2\drivers\win8_x64\SmartDefragDriver.sys
    c:\program files\IObit\Smart Defrag 2\drivers\win8_x86\SmartDefragBootTime.exe
    c:\program files\IObit\Smart Defrag 2\drivers\win8_x86\SmartDefragDriver.sys
    c:\program files\IObit\Smart Defrag 2\drivers\wlh_x64\SmartDefragBootTime.exe
    c:\program files\IObit\Smart Defrag 2\drivers\wlh_x64\SmartDefragDriver.sys
    c:\program files\IObit\Smart Defrag 2\drivers\wlh_x86\SmartDefragBootTime.exe
    c:\program files\IObit\Smart Defrag 2\drivers\wlh_x86\SmartDefragDriver.sys
    c:\program files\IObit\Smart Defrag 2\drivers\wnet_x64\SmartDefragBootTime.exe
    c:\program files\IObit\Smart Defrag 2\drivers\wnet_x64\SmartDefragDriver.sys
    c:\program files\IObit\Smart Defrag 2\drivers\wnet_x86\SmartDefragBootTime.exe
    c:\program files\IObit\Smart Defrag 2\drivers\wnet_x86\SmartDefragDriver.sys
    c:\program files\IObit\Smart Defrag 2\drivers\wxp_x64\SmartDefragBootTime.exe
    c:\program files\IObit\Smart Defrag 2\drivers\wxp_x64\SmartDefragDriver.sys
    c:\program files\IObit\Smart Defrag 2\drivers\wxp_x86\SmartDefragBootTime.exe
    c:\program files\IObit\Smart Defrag 2\drivers\wxp_x86\SmartDefragDriver.sys
    c:\program files\IObit\Smart Defrag 2\EULA.rtf
    c:\program files\IObit\Smart Defrag 2\fav.ico
    c:\program files\IObit\Smart Defrag 2\Freeware\ASC_FreeSoftwareDownloader.exe
    c:\program files\IObit\Smart Defrag 2\Freeware\Check.dll
    c:\program files\IObit\Smart Defrag 2\Freeware\SD_FreeSoftwareDownloader.exe
    c:\program files\IObit\Smart Defrag 2\Help\Images\001.jpg
    c:\program files\IObit\Smart Defrag 2\Help\Images\002.jpg
    c:\program files\IObit\Smart Defrag 2\Help\Images\003.jpg
    c:\program files\IObit\Smart Defrag 2\Help\Images\004.jpg
    c:\program files\IObit\Smart Defrag 2\Help\Images\005.jpg
    c:\program files\IObit\Smart Defrag 2\Help\Images\006.jpg
    c:\program files\IObit\Smart Defrag 2\Help\Images\007.jpg
    c:\program files\IObit\Smart Defrag 2\Help\Images\008.jpg
    c:\program files\IObit\Smart Defrag 2\Help\Images\009.jpg
    c:\program files\IObit\Smart Defrag 2\Help\Index.html
    c:\program files\IObit\Smart Defrag 2\Language\Albanian.lng
    c:\program files\IObit\Smart Defrag 2\Language\Arabic.lng
    c:\program files\IObit\Smart Defrag 2\Language\Bulgarian.lng
    c:\program files\IObit\Smart Defrag 2\Language\ChineseSimp.lng
    c:\program files\IObit\Smart Defrag 2\Language\ChineseTrad.lng
    c:\program files\IObit\Smart Defrag 2\Language\Czech.lng
    c:\program files\IObit\Smart Defrag 2\Language\Danish.lng
    c:\program files\IObit\Smart Defrag 2\Language\Deutsch.lng
    c:\program files\IObit\Smart Defrag 2\Language\Dutch.lng
    c:\program files\IObit\Smart Defrag 2\Language\English.lng
    c:\program files\IObit\Smart Defrag 2\Language\Finnish.lng
    c:\program files\IObit\Smart Defrag 2\Language\Flemish.lng
    c:\program files\IObit\Smart Defrag 2\Language\French.lng
    c:\program files\IObit\Smart Defrag 2\Language\Georgian.lng
    c:\program files\IObit\Smart Defrag 2\Language\German.lng
    c:\program files\IObit\Smart Defrag 2\Language\Greek.lng
    c:\program files\IObit\Smart Defrag 2\Language\Hebrew.lng
    c:\program files\IObit\Smart Defrag 2\Language\Hungarian.lng
    c:\program files\IObit\Smart Defrag 2\Language\Indonesia.lng
    c:\program files\IObit\Smart Defrag 2\Language\Italian.lng
    c:\program files\IObit\Smart Defrag 2\Language\Japanese.lng
    c:\program files\IObit\Smart Defrag 2\Language\Kashubian.lng
    c:\program files\IObit\Smart Defrag 2\Language\Korean.lng
    c:\program files\IObit\Smart Defrag 2\Language\Kurdish.lng
    c:\program files\IObit\Smart Defrag 2\Language\Malay.lng
    c:\program files\IObit\Smart Defrag 2\Language\Malayalam.lng
    c:\program files\IObit\Smart Defrag 2\Language\Norwegian.lng
    c:\program files\IObit\Smart Defrag 2\Language\Polish.lng
    c:\program files\IObit\Smart Defrag 2\Language\Portuguese(PT-BR).lng
    c:\program files\IObit\Smart Defrag 2\Language\Portuguese(PT-PT).lng
    c:\program files\IObit\Smart Defrag 2\Language\Romanian.lng
    c:\program files\IObit\Smart Defrag 2\Language\Russian.lng
    c:\program files\IObit\Smart Defrag 2\Language\Serbian.lng
    c:\program files\IObit\Smart Defrag 2\Language\Slovak.lng
    c:\program files\IObit\Smart Defrag 2\Language\Slovenian.lng
    c:\program files\IObit\Smart Defrag 2\Language\Spanish.lng
    c:\program files\IObit\Smart Defrag 2\Language\Swedish.lng
    c:\program files\IObit\Smart Defrag 2\Language\Turkish.lng
    c:\program files\IObit\Smart Defrag 2\Language\Vietnamese.lng
    c:\program files\IObit\Smart Defrag 2\LatestNews\LatestNews.ini
    c:\program files\IObit\Smart Defrag 2\NtfsData.dll
    c:\program files\IObit\Smart Defrag 2\rtl120.bpl
    c:\program files\IObit\Smart Defrag 2\SDDriverMgr.dll
    c:\program files\IObit\Smart Defrag 2\SDInit.exe
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Add_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Add_Middle.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Add_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Add_Shadow.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Analyze_Disable.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Analyze_Focus.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Analyze_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Analyze_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Center.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Checkbox_Checked.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Checkbox_Disable.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Checkbox_Unchecked.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Close_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Close_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\ColumnDivider.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\ColumnHeader.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Corner_Bottom_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Corner_Bottom_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Corner_Top_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Corner_Top_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Defrag_Disable.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Defrag_Focus.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Defrag_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Defrag_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Defrag_Option_Disable.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Defrag_Option_Focus.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Defrag_Option_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Defrag_Option_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Frame_Bottom.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Frame_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Frame_Left_Top.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Frame_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Frame_Right_Top.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Frame_Top.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Hide.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Item_Selected.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Layout.ini
    c:\program files\IObit\Smart Defrag 2\Skins\Black\line.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Logo.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Maximize_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Maximize_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Minimize_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Minimize_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\News_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\News_Middle.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\News_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Page_Body.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Pause_Disable.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Pause_Focus.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Pause_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Pause_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Progress_Bg_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Progress_Bg_Middle.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Progress_Bg_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Progress_Fg_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Progress_Fg_Middle.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Progress_Fg_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Restore_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Restore_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Setting_Text_Shadow.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Show.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Statistics.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Stop_Disable.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Stop_Focus.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Stop_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Stop_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Tab_Focus.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Tab_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Tab_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Title.png
    c:\program files\IObit\Smart Defrag 2\Skins\Black\Top.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Add_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Add_Middle.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Add_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Add_Shadow.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Analyze_Disable.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Analyze_Focus.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Analyze_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Analyze_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\center.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Checkbox_Checked.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Checkbox_Disable.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Checkbox_Unchecked.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Close_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Close_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\ColumnDivider.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\ColumnHeader.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Corner_Bottom_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Corner_Bottom_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Corner_Top_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Corner_Top_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Defrag_Disable.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Defrag_Focus.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Defrag_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Defrag_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Defrag_Option_Disable.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Defrag_Option_Focus.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Defrag_Option_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Defrag_Option_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Frame_Bottom.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Frame_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Frame_Left_Top.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Frame_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Frame_Right_Top.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Frame_Top.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Hide.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Item_Selected.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Layout.ini
    c:\program files\IObit\Smart Defrag 2\Skins\White\line.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Logo.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Maximize_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Maximize_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Minimize_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Minimize_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\News_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\News_Middle.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\News_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Page_Body.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Pause_Disable.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Pause_Focus.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Pause_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Pause_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Progress_Bg_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Progress_Bg_Middle.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Progress_Bg_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Progress_Fg_Left.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Progress_Fg_Middle.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Progress_Fg_Right.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Restore_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Restore_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Setting_Text_Shadow.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Show.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Statistics.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Stop_Disable.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Stop_Focus.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Stop_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Stop_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Tab_Focus.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Tab_Hot.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Tab_Normal.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Title.png
    c:\program files\IObit\Smart Defrag 2\Skins\White\Top.png
    c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe
    c:\program files\IObit\Smart Defrag 2\taskMgr.dll
    c:\program files\IObit\Smart Defrag 2\unins000.dat
    c:\program files\IObit\Smart Defrag 2\unins000.exe
    c:\program files\IObit\Smart Defrag 2\unins000.msg
    c:\program files\IObit\Smart Defrag 2\vcl120.bpl
    c:\program files\IObit\Smart Defrag 2\vclx120.bpl
    c:\program files\productivity_3\prxtbProd.dll
    c:\users\Jan\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
    c:\users\Jan\AppData\Roaming\IObit
    c:\users\Jan\AppData\Roaming\IObit\Smart Defrag 2\Config.ini
    c:\windows\system32\dfrgasrv.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-29 18:03 . 2012-07-29 18:03 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-29 02:52 . 2012-07-29 16:42 -------- d-----w- c:\users\Jan\Jens Tools
    2012-07-29 01:05 . 2012-05-08 23:35 29528 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
    2012-07-29 01:05 . 2012-07-29 01:05 -------- d-----w- c:\program files\Application Updater
    2012-07-29 01:05 . 2012-07-29 01:05 -------- d-----w- c:\program files\Common Files\Spigot
    2012-07-29 01:05 . 2010-11-26 23:02 15672 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
    2012-07-29 00:57 . 2012-07-29 00:57 -------- d-----w- c:\users\Jan\AppData\Roaming\AVG2012
    2012-07-29 00:56 . 2012-07-29 00:56 -------- d-----w- c:\users\Jan\AppData\Local\AVG Secure Search
    2012-07-29 00:56 . 2012-07-29 00:56 -------- d-----w- c:\programdata\AVG Secure Search
    2012-07-29 00:56 . 2012-07-29 00:56 27496 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2012-07-29 00:56 . 2012-07-29 00:56 -------- d-----w- c:\program files\Common Files\AVG Secure Search
    2012-07-29 00:56 . 2012-07-29 00:56 -------- d-----w- c:\program files\AVG Secure Search
    2012-07-29 00:55 . 2012-07-29 00:55 -------- d-----w- C:\$AVG
    2012-07-29 00:55 . 2012-07-29 16:49 -------- d-----w- c:\windows\system32\drivers\AVG
    2012-07-29 00:55 . 2012-07-29 01:10 -------- d-----w- c:\programdata\AVG2012
    2012-07-28 03:03 . 2012-07-28 03:03 -------- d-----w- c:\program files\ERUNT
    2012-07-28 01:06 . 2012-07-28 01:08 -------- d-----w- c:\programdata\036DFF850000F549004A1E292F3B707C
    2012-07-27 23:42 . 2012-07-27 23:42 -------- d-----w- c:\users\Jan\AppData\Roaming\Malwarebytes
    2012-07-27 23:42 . 2012-07-27 23:42 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-27 23:42 . 2012-07-27 23:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-07-27 23:42 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-23 09:27 . 2012-07-23 09:28 -------- d-----w- c:\program files\CCleaner
    2012-07-23 02:39 . 2012-07-23 02:39 -------- d-----w- c:\programdata\Lavasoft
    2012-07-23 02:39 . 2012-07-23 23:29 -------- d-----w- c:\program files\Ad-Aware Antivirus
    2012-07-23 02:39 . 2012-07-23 02:39 -------- d-----w- c:\users\Jan\AppData\Local\Downloaded Installations
    2012-07-23 02:38 . 2012-07-23 23:26 -------- d-----w- c:\users\Jan\AppData\Roaming\Ad-Aware Antivirus
    2012-07-14 02:44 . 2012-07-14 02:44 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-13 21:24 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 03:14 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2012-07-11 03:14 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-11 03:14 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-11 03:14 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-11 03:14 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-07-11 03:14 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-02 22:19 . 2012-06-21 05:09 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 05:09 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 05:09 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 05:09 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 05:09 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 05:09 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 05:09 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 20:19 . 2012-06-21 05:09 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 20:12 . 2012-06-21 05:09 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-01 14:03 . 2012-06-16 03:26 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-14 00:17 . 2012-07-27 23:38 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}"= "c:\program files\Dogpile Bundle Toolbar\Helper.dll" [2011-10-01 361472]
    .
    [HKEY_CLASSES_ROOT\clsid\{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}]
    [HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
    [HKEY_CLASSES_ROOT\TypeLib\{C766F9AD-E91E-43DE-91DC-D007680ED4AF}]
    [HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-07-29 00:56 2086496 ----a-w- c:\program files\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll" [2012-07-29 2086496]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
    "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
    "ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
    "PCMAgent"="c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
    "CLMLServer"="c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
    "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 81920]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
    2008-07-31 23:26 417792 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToshibaServiceStation]
    2008-08-04 21:46 1242424 ----a-w- c:\program files\Toshiba\TOSHIBA Service Station\TSS.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vProt]
    2012-07-29 00:56 1147488 ----a-w- c:\program files\AVG Secure Search\vprot.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    TCP: DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\12.1.5\ViProtocol.dll
    FF - ProfilePath - c:\users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\igvng1dw.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://google.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=642886&p=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-SearchSettings - c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
    AddRemove-Smart Defrag 2_is1 - c:\program files\IObit\Smart Defrag 2\unins000.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-29 13:07
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\WLANExt.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Application Updater\ApplicationUpdater.exe
    c:\program files\AVG\AVG2012\avgwdsvc.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\12.1.5\ToolbarUpdater.exe
    c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
    c:\windows\RtHDVCpl.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-07-29 13:11:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-29 18:11
    ComboFix2.txt 2012-07-29 16:40
    ComboFix3.txt 2012-07-29 02:51
    ComboFix4.txt 2012-07-28 22:23
    ComboFix5.txt 2012-07-29 17:57
    .
    Pre-Run: 225,536,503,808 bytes free
    Post-Run: 225,301,413,888 bytes free
    .
    - - End Of File - - 93806E1718AC250205D50EE26C8ED07E
     
  10. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    No worries. :)
    ----------

    I see that you had AdAware Antivirus on your system? Are you still using that? If not please go to Start >> Control Panel >> Programs and Features and uninstall it.
    ----------

    Malwarebytes

    I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
    ----------

    Please run a free online scan with the ESET Online Scanner
    Note: You will need to use Internet Explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
    • Click Scan (This scan can take several hours, so please be patient)
    • If there are threats that are found, please press List of found threats and then in the next window that opens press Export to text file...
    • Copy and paste/or attach that log as a reply to this topic
    **Note** If not threats are found there will not be a log created.
    ----------

    In your next reply please post the logs made by Malwarebytes and ESET as well as let me know if you have any problems removing AdAware antivirus. :)
     
  11. jvricker

    jvricker Thread Starter

    Joined:
    Jul 27, 2012
    Messages:
    10
    I guess we're not out of the woods yet. :confused: Adaware was not in the list of programs to uninstall in Programs and Features, but I did delete the folder manually out of the Program Files. Malwarebytes did not find any infected files. ESET, however did find threats. Here are the logs from both:

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.07.27.11
    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Jan :: JAN-PC [administrator]
    7/29/2012 4:35:31 PM
    mbam-log-2012-07-29 (16-35-31).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 202997
    Time elapsed: 9 minute(s), 56 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)

    ESET log:

    C:\Program Files\GamingWonderlandEI\Installr\1.bin\gtEIPlug.dll Win32/Toolbar.MyWebSearch application
    C:\Program Files\GamingWonderlandEI\Installr\1.bin\gtEZSETP.dll Win32/Toolbar.MyWebSearch.Q application
    C:\Program Files\GamingWonderlandEI\Installr\1.bin\NPgtEISb.dll Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe.vir a variant of Win32/Toolbar.Widgi application
    C:\Qoobox\Quarantine\C\Program Files\IObit Toolbar\IE\6.2\iobitToolbarIE.dll.vir a variant of Win32/Toolbar.Widgi application
    C:\Qoobox\Quarantine\C\Users\Jan\AppData\Local\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\n.vir Win32/Sirefef.EV trojan
    C:\Qoobox\Quarantine\C\Windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\U\80000000.@.vir a variant of Win32/Sirefef.FA trojan
    C:\Qoobox\Quarantine\C\Windows\Installer\{d02e8adc-75a0-3ee2-0894-affbd6f74980}\U\80000032.@.vir a variant of Win32/Sirefef.FD trojan
    C:\Qoobox\Quarantine\C\Windows\System32\dfrgasrv.dll.vir Win32/PSW.Papras.CE trojan
    C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir Win32/Sirefef.FB.Gen trojan
     
  12. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Looking better. :)

    Some of the entries that ESET found are already quarantined by our tools and will be removed shortly.
    ----------

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      ClearJavaCache::
      
      File::
      C:\Program Files\GamingWonderlandEI\Installr\1.bin\gtEIPlug.dll 
      C:\Program Files\GamingWonderlandEI\Installr\1.bin\gtEZSETP.dll 
      C:\Program Files\GamingWonderlandEI\Installr\1.bin\NPgtEISb.dll
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------

    In your next reply please post the new ComboFix log and let me know how your system is running now? :)
     
  13. jvricker

    jvricker Thread Starter

    Joined:
    Jul 27, 2012
    Messages:
    10
    I haven't had any system problems after I started running ComboFix (none that I could tell anyways). :cool: Here is the latest report:

    ComboFix 12-07-29.02 - Jan 07/29/2012 19:53:38.6.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1577 [GMT -5:00]
    Running from: c:\users\Jan\Desktop\ComboFix.exe
    Command switches used :: c:\users\Jan\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\program files\GamingWonderlandEI\Installr\1.bin\gtEIPlug.dll"
    "c:\program files\GamingWonderlandEI\Installr\1.bin\gtEZSETP.dll"
    "c:\program files\GamingWonderlandEI\Installr\1.bin\NPgtEISb.dll"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\GamingWonderlandEI\Installr\1.bin\gtEIPlug.dll
    c:\program files\GamingWonderlandEI\Installr\1.bin\gtEZSETP.dll
    c:\program files\GamingWonderlandEI\Installr\1.bin\NPgtEISb.dll
    c:\users\Jan\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-30 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-30 00:57 . 2012-07-30 00:57 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-29 21:51 . 2012-07-29 21:51 -------- d-----w- c:\program files\ESET
    2012-07-29 02:52 . 2012-07-29 16:42 -------- d-----w- c:\users\Jan\Jens Tools
    2012-07-29 01:05 . 2012-05-08 23:35 29528 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
    2012-07-29 01:05 . 2010-11-26 23:02 15672 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
    2012-07-29 00:57 . 2012-07-29 00:57 -------- d-----w- c:\users\Jan\AppData\Roaming\AVG2012
    2012-07-29 00:56 . 2012-07-29 00:56 -------- d-----w- c:\users\Jan\AppData\Local\AVG Secure Search
    2012-07-29 00:56 . 2012-07-29 00:56 -------- d-----w- c:\programdata\AVG Secure Search
    2012-07-29 00:56 . 2012-07-29 00:56 27496 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2012-07-29 00:56 . 2012-07-29 00:56 -------- d-----w- c:\program files\Common Files\AVG Secure Search
    2012-07-29 00:56 . 2012-07-29 00:56 -------- d-----w- c:\program files\AVG Secure Search
    2012-07-29 00:55 . 2012-07-29 00:55 -------- d-----w- C:\$AVG
    2012-07-29 00:55 . 2012-07-29 22:20 -------- d-----w- c:\windows\system32\drivers\AVG
    2012-07-29 00:55 . 2012-07-29 01:10 -------- d-----w- c:\programdata\AVG2012
    2012-07-28 03:03 . 2012-07-28 03:03 -------- d-----w- c:\program files\ERUNT
    2012-07-28 01:06 . 2012-07-28 01:08 -------- d-----w- c:\programdata\036DFF850000F549004A1E292F3B707C
    2012-07-27 23:42 . 2012-07-27 23:42 -------- d-----w- c:\users\Jan\AppData\Roaming\Malwarebytes
    2012-07-27 23:42 . 2012-07-27 23:42 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-27 23:42 . 2012-07-27 23:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-07-27 23:42 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-23 09:27 . 2012-07-23 09:28 -------- d-----w- c:\program files\CCleaner
    2012-07-23 02:39 . 2012-07-23 02:39 -------- d-----w- c:\programdata\Lavasoft
    2012-07-23 02:39 . 2012-07-23 02:39 -------- d-----w- c:\users\Jan\AppData\Local\Downloaded Installations
    2012-07-23 02:38 . 2012-07-23 23:26 -------- d-----w- c:\users\Jan\AppData\Roaming\Ad-Aware Antivirus
    2012-07-14 02:44 . 2012-07-14 02:44 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-13 21:24 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 03:14 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2012-07-11 03:14 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-11 03:14 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-11 03:14 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-11 03:14 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-07-11 03:14 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-02 22:19 . 2012-06-21 05:09 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 05:09 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 05:09 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 05:09 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 05:09 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 05:09 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 05:09 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 20:19 . 2012-06-21 05:09 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 20:12 . 2012-06-21 05:09 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-01 14:03 . 2012-06-16 03:26 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-14 00:17 . 2012-07-27 23:38 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-07-29 00:56 2086496 ----a-w- c:\program files\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll" [2012-07-29 2086496]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
    "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
    "ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
    "PCMAgent"="c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
    "CLMLServer"="c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
    "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 81920]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
    2008-07-31 23:26 417792 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToshibaServiceStation]
    2008-08-04 21:46 1242424 ----a-w- c:\program files\Toshiba\TOSHIBA Service Station\TSS.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vProt]
    2012-07-29 00:56 1147488 ----a-w- c:\program files\AVG Secure Search\vprot.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    TCP: DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\12.1.5\ViProtocol.dll
    FF - ProfilePath - c:\users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\igvng1dw.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://google.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=642886&p=
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-29 20:04
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\WLANExt.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\AVG\AVG2012\avgwdsvc.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\12.1.5\ToolbarUpdater.exe
    c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\windows\RtHDVCpl.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-29 20:06:22 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-30 01:06
    ComboFix2.txt 2012-07-29 18:11
    ComboFix3.txt 2012-07-29 16:40
    ComboFix4.txt 2012-07-29 02:51
    ComboFix5.txt 2012-07-30 00:51
    .
    Pre-Run: 226,004,918,272 bytes free
    Post-Run: 226,077,945,856 bytes free
    .
    - - End Of File - - 29F194E7DB12B387B77BA47BD552459E
     
  14. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Great! Glad to hear it's running better.
    ----------

    I see that your Java software is out of date. Please go to Start >> Control Panel >> Programs and Features >> delete all versions of Java.

    Now download and install the newest version from here >> http://java.com/en/download/index.jsp
    -------------

    Adobe Reader

    You have an older version of Adobe Reader. You can download the current version HERE

    You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

    Visit their support forum
    Foxit Forum

    In either case you should uninstall Adobe Reader 8.1.3 first. Be sure to move any PDF documents to another folder first though.
    ----------

    In your next reply let me know if you have any problems with the instructions and if you are having any more malware related problems. :)
     
  15. jvricker

    jvricker Thread Starter

    Joined:
    Jul 27, 2012
    Messages:
    10
    I didn't have any trouble updating the Java software or the Adobe Reader, thanks for the extra tips. Things seem to be running smoothly. No complaints here! :D:D:D
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1062875