Jump to content

Win 7 antivirus 2012 unregistered user virus

hackersbyte

By hackersbyte
in Resolved Malware Removal Logs

 Share

Recommended Posts

hackersbyte

hackersbyte

Posted
Posted

Hello,

I have gotten the Win 7 Antivirus 2012 unregistered version--their words not mine--virus. I was able to run the malwarebytes free version that was already on the computer, but only in safe mode.

According to the report, I had several infections:

Trojan.ExeShell.Gen as a File and Memory Process

Trojan.FakeAlert

Exploit.Drop.7

Hijack.ExeFile as a Registry Value

Hijacked.exefile

Hijack.StartMenuInternet

I removed and then restarted my computer in regular mode. While I was running Malwarebytes the fake Win 7 kept popping up with all these windows/warnings but allowed the program to run. After the program ran, I rebooted my computer as directed and I tried to run Malwarebytes (in regular mode) but my computer keeps asking me to choose a program to open Malwarebytes. So I cannot run Malwarebytes now.

I had to uninstall it from the Add/Remove programs as I could not do it from the start menu at Malwarebytes' uninstall icon. " :o Why did you do that?" you ask? Because I am overtired and frustrated and it makes one act like an idiot. ;)

I then downloaded a fresh copy of Malwarebytes from the site Majorgeeks.com from a different computer onto a USB stick and was going to download it to my infected computer to make sure it was clean. Unfortunately, I am having the same problem when I click on Malwarebytes on my USB stick. Should I rename it with the .com extension and then try and load it? I am really at a loss here. Thank you for your help.

Link to post
Share on other sites
hackersbyte

hackersbyte

Posted
  • Author
Posted

Hello,

I received this e-mail today as I had signed up to be notified of a reply.

Subject: Tmose replied to Win 7 antivirus 2012 unregistered user virus

Date: 1/4/2012 12:23:17 P.M. Eastern Standard Time

From: no-reply@malwarebytes.org

However, when I copy and paste the link in the toolbar there is no reply but my original message does appear. I also tried searching for my post to see if I could see the reply there but there is no reply. I also put Tmose in the search section of this forum but nothing comes up. (?)

Thanks for any help!

Link to post
Share on other sites
Tmose

Tmose

Posted
Posted

Hello,

I received this e-mail today as I had signed up to be notified of a reply.

Subject: Tmose replied to Win 7 antivirus 2012 unregistered user virus

Date: 1/4/2012 12:23:17 P.M. Eastern Standard Time

From: no-reply@malwarebytes.org

However, when I copy and paste the link in the toolbar there is no reply but my original message does appear. I also tried searching for my post to see if I could see the reply there but there is no reply. I also put Tmose in the search section of this forum but nothing comes up. (?)

Thanks for any help!

Sorry, I posted a potential solution but am not authorized on this forum to provide support. Because I am not authorized, the original response was removed.

Tmose

Link to post
Share on other sites
hackersbyte

hackersbyte

Posted
  • Author
Posted

I was finally able to get Malwarebytes to run in Safe Mode with Networking after using the exehelper. (I was unable to open any programs in safe mode as they all kept asking for an associated program to open with).

I ran the quick scan and only one item was found. Hijack.StartMenuInternet in the Registry Data. It is in quarantine for now with the aformentioned items.

I had Avast 6 free on the computer but now Avast said the system was off, the file system shield needed to be turned on, etc. none of which I was able to do. I had last updated the program when everything crashed so I did a scan anyway. It only took 29 minutes as opposed to the normal 1 plus hours and found nothing. I uninstalled Avastfrom the add/remove programs, also used their uninstall file after that and reinstalled a fresh copy to no avail. I uninstalled again and tried to install AVG free 2012 in safe mode but got a warning that that may not be a good idea so I didn't as I wasn't sure what to do. It is a registered and unexpired copy that I downloaded from the CNET site. Avast's site keeps kicking back my registration when I try to register on their site for help. It won't recognize the security thing at the bottom they have you type in...

If I were to allow my laptop to start in normal mode everything goes black except for my lonely cursor. I ran the dds.com from a USB stick. I have attached the files. I had to run it in Safe Mode minus networking as I do not have any antivirus now and don't know what to do...

I would be most grateful for your help.

Attach.txt

DDS.txt

Link to post
Share on other sites
  • 2 weeks later...
hackersbyte

hackersbyte

Posted
  • Author
Posted

Thank you!

Malwarebytes Anti-Malware 1.60.0.1800

www.malwarebytes.org

Database version: v2012.01.17.01

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

:: -PC [administrator]

1/16/2012 11:48:53 PM

mbam-log-2012-01-16 (23-48-53).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 173854

Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

.

DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK

Internet Explorer: 9.0.8112.16421

Run by at 23:57:16 on 2012-01-16

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3836.3171 [GMT -5:00]

.

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\windows\Explorer.EXE

C:\windows\system32\ctfmon.exe

C:\windows\System32\svchost.exe -k secsvcs

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\conhost.exe

C:\windows\SysWOW64\cscript.exe

C:\windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/webhp?hl=en#

uDefault_Page_URL = hxxp://start.toshiba.com/g/

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe

mRun: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL

mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP

mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe

mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED

mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

mRun: [Conime] %windir%\system32\conime.exe

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{9B127E34-76FD-4A23-8429-EDAC3C66B58A} : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{DFA5F5E1-3658-4C60-9370-523FEC7AD6A9} : DhcpNameServer = 192.168.2.1

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe

mRun-x64: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL

mRun-x64: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP

mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun-x64: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe

mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED

mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

mRun-x64: [Conime] %windir%\system32\conime.exe

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

.

============= SERVICES / DRIVERS ===============

.

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\system32\DRIVERS\thpdrv.sys --> C:\windows\system32\DRIVERS\thpdrv.sys [?]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\system32\DRIVERS\Thpevm.SYS --> C:\windows\system32\DRIVERS\Thpevm.SYS [?]

R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]

R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]

R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\system32\DRIVERS\rtl8192Ce.sys --> C:\windows\system32\DRIVERS\rtl8192Ce.sys [?]

S2 !SASCORE;SAS Core Service;"C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" --> C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [?]

S2 AMD External Events Utility;AMD External Events Utility;C:\windows\system32\atiesrxx.exe --> C:\windows\system32\atiesrxx.exe [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-24 136176]

S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe [2011-12-19 394672]

S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe [2011-3-12 115056]

S2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe [2011-3-12 126392]

S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-9-14 508264]

S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-4-6 258928]

S3 acpials;ALS Sensor Filter;C:\windows\system32\DRIVERS\acpials.sys --> C:\windows\system32\DRIVERS\acpials.sys [?]

S3 amdkmdag;amdkmdag;C:\windows\system32\DRIVERS\atikmdag.sys --> C:\windows\system32\DRIVERS\atikmdag.sys [?]

S3 amdkmdap;amdkmdap;C:\windows\system32\DRIVERS\atikmpag.sys --> C:\windows\system32\DRIVERS\atikmpag.sys [?]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-24 136176]

S3 JMCR;JMCR;C:\windows\system32\DRIVERS\jmcr.sys --> C:\windows\system32\DRIVERS\jmcr.sys [?]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]

S3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]

S3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]

S3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]

S3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]

S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-9-14 219496]

S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-3-12 54136]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]

S3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-3-31 835952]

S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2012-01-17 04:50:35 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{20AD4DE2-C0FF-417F-AF0C-463CC23D7FD6}\offreg.dll

2012-01-07 22:04:02 -------- d--h--w- C:\ProgramData\Common Files

2012-01-07 22:03:48 -------- d-----w- C:\ProgramData\MFAData

2012-01-07 20:14:27 23152 ----a-w- C:\windows\System32\drivers\mbam.sys

2012-01-07 20:14:27 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-12-27 16:42:05 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{20AD4DE2-C0FF-417F-AF0C-463CC23D7FD6}\mpengine.dll

2011-12-21 00:00:23 -------- d-----w- C:\windows\SysWow64\kodak

.

==================== Find3M ====================

.

2011-11-24 04:52:09 3145216 ----a-w- C:\windows\System32\win32k.sys

2011-11-16 15:42:04 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-11-05 05:32:50 2048 ----a-w- C:\windows\System32\tzres.dll

2011-11-05 04:26:03 2048 ----a-w- C:\windows\SysWow64\tzres.dll

2011-11-04 01:53:39 2309120 ----a-w- C:\windows\System32\jscript9.dll

2011-11-04 01:44:47 1390080 ----a-w- C:\windows\System32\wininet.dll

2011-11-04 01:44:21 1493504 ----a-w- C:\windows\System32\inetcpl.cpl

2011-11-04 01:34:43 2382848 ----a-w- C:\windows\System32\mshtml.tlb

2011-11-03 22:47:42 1798144 ----a-w- C:\windows\SysWow64\jscript9.dll

2011-11-03 22:40:21 1427456 ----a-w- C:\windows\SysWow64\inetcpl.cpl

2011-11-03 22:39:47 1127424 ----a-w- C:\windows\SysWow64\wininet.dll

2011-11-03 22:31:57 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb

2011-10-26 05:21:20 43520 ----a-w- C:\windows\System32\csrsrv.dll

.

============= FINISH: 23:57:59.76 ===============

Link to post
Share on other sites
hackersbyte

hackersbyte

Posted
  • Author
Posted

I am trying to run ComboFix in safe mode but a window has popped up saying it has detected Avast! as an antivirus and antispyware and I need to disable it prior to running. I could not find Avast either in the Start --All Programs list, or in the Control Panel list of programs??? How do I disable it if I can't find it?

So I haven't run ComboFix yet. I am really not sure where else to look...

I did turn off my firewall, made sure Windows Defender disabled as well...

Link to post
Share on other sites
hackersbyte

hackersbyte

Posted
  • Author
Posted

I was advised over at the Avast forums that it ComboFix should run ok despite the warning about Avast as long as I was in Safe Mode.

I ran ComboFix in Safe Mode (no networking) and clicked ok when I got the warnings in post #8. I stepped away from my computer form maybe 5 minutes and next thing I know it's trying unsucessfully to boot into Normal Mode. It seemed to stall out so I restarted it in Safe Mode (not with Networking) and re-ran ComboFix. When it had completed Stage 50 (the last one) successfully, the cursor sat there for a bit and then said rebooting and click! Buh-bye. I let it try and boot into Normal mode which it seemed to do a little quicker, but still very slow compared to before this mess started. The blue ComboFix box reappeared and said it was generating the log and report.

I then tried to run the DDS.com but a warning box popped up with a red "x" F:\dds.com and something about the action being illegal as the registry key is marked for deletion (!)

I rebooted (again) in safe mode (no networking) and was able to run it then. Maybe more information than you needed but...

ComboFix 12-01-17.02 - 01/20/2012 0:44.2.4 - x64 MINIMAL

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3836.3243 [GMT -5:00]

Running from: F:\ComboFix.exe

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\programdata\xp

c:\programdata\xp\EBLib.dll

c:\programdata\xp\TPwSav.sys

c:\users\Default\AppData\Roaming\DPInst.exe

c:\users\Default\AppData\Roaming\gacutil.exe

c:\users\Default\AppData\Roaming\PnPutil.exe

c:\users\Mcaleer\oem-ufd-98-driver.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-12-20 to 2012-01-20 )))))))))))))))))))))))))))))))

.

.

2012-01-20 05:49 . 2012-01-20 05:49 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-01-07 22:04 . 2012-01-07 22:04 -------- d--h--w- c:\programdata\Common Files

2012-01-07 22:03 . 2012-01-07 22:04 -------- d-----w- c:\programdata\MFAData

2012-01-07 20:14 . 2012-01-07 20:14 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-01-07 20:14 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-27 16:42 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{20AD4DE2-C0FF-417F-AF0C-463CC23D7FD6}\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-24 04:52 . 2011-12-14 22:30 3145216 ----a-w- c:\windows\system32\win32k.sys

2011-11-16 15:42 . 2011-05-18 21:01 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-11-05 05:32 . 2011-12-14 22:30 2048 ----a-w- c:\windows\system32\tzres.dll

2011-11-05 04:26 . 2011-12-14 22:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2011-11-04 01:53 . 2011-12-14 22:52 2309120 ----a-w- c:\windows\system32\jscript9.dll

2011-11-04 01:44 . 2011-12-14 22:52 1390080 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 01:44 . 2011-12-14 22:52 1493504 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 01:34 . 2011-12-14 22:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-11-03 22:47 . 2011-12-14 22:52 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll

2011-11-03 22:40 . 2011-12-14 22:52 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2011-11-03 22:39 . 2011-12-14 22:52 1127424 ----a-w- c:\windows\SysWow64\wininet.dll

2011-11-03 22:31 . 2011-12-14 22:52 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2011-10-26 05:21 . 2011-12-14 22:30 43520 ----a-w- c:\windows\system32\csrsrv.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-27 102400]

"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2009-12-25 34160]

"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-02-23 352256]

"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-05 423936]

"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]

"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2010-08-17 3218792]

"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-25 136176]

R3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-25 136176]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-02-11 54136]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]

R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-03-31 835952]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]

S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [x]

S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [x]

S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]

S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files (x86)\Kodak\AiO\Center\EKAiOHostService.exe [2011-12-19 394672]

S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe [2010-10-20 115056]

S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe [2009-08-24 126392]

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]

S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-04-06 258928]

S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [x]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]

S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-25 03:18]

.

2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-25 03:18]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="c:\windows\system32\thpsrv" [X]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-05-25 10816032]

"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-05-25 2090528]

"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]

"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe" [2011-06-16 2922496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/webhp?hl=en#

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = <local>

IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

TCP: DhcpNameServer = 192.168.2.1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKLM-Run-TSleepSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe

Wow6432Node-HKLM-Run-Conime - c:\windows\system32\conime.exe

Toolbar-Locked - (no file)

HKLM-Run-(Default) - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE

HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe

HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe

HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe

HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe

HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe

HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe

HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe

HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr]

"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.6.22\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-01-20 00:57:33 - machine was rebooted

ComboFix-quarantined-files.txt 2012-01-20 05:57

.

Pre-Run: 578,819,452,928 bytes free

Post-Run: 578,652,995,584 bytes free

.

- - End Of File - - 9D71F52BA8371008C5FD842D71E67445

.

DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL

Internet Explorer: 9.0.8112.16421

Run by at 1:37:37 on 2012-01-20

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3836.2957 [GMT -5:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\Explorer.EXE

C:\windows\system32\ctfmon.exe

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\conhost.exe

C:\windows\SysWOW64\cscript.exe

C:\windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/webhp?hl=en#

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe

mRun: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL

mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP

mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED

mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [Conime] %windir%\system32\conime.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{9B127E34-76FD-4A23-8429-EDAC3C66B58A} : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{DFA5F5E1-3658-4C60-9370-523FEC7AD6A9} : DhcpNameServer = 192.168.2.1

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe

mRun-x64: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL

mRun-x64: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP

mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED

mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [Conime] %windir%\system32\conime.exe

.

============= SERVICES / DRIVERS ===============

.

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\system32\DRIVERS\thpdrv.sys --> C:\windows\system32\DRIVERS\thpdrv.sys [?]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\system32\DRIVERS\Thpevm.SYS --> C:\windows\system32\DRIVERS\Thpevm.SYS [?]

R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]

R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]

S1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]

S2 !SASCORE;SAS Core Service;"C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" --> C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [?]

S2 AMD External Events Utility;AMD External Events Utility;C:\windows\system32\atiesrxx.exe --> C:\windows\system32\atiesrxx.exe [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-24 136176]

S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe [2011-12-19 394672]

S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe [2011-3-12 115056]

S2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe [2011-3-12 126392]

S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-9-14 508264]

S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-4-6 258928]

S3 acpials;ALS Sensor Filter;C:\windows\system32\DRIVERS\acpials.sys --> C:\windows\system32\DRIVERS\acpials.sys [?]

S3 amdkmdag;amdkmdag;C:\windows\system32\DRIVERS\atikmdag.sys --> C:\windows\system32\DRIVERS\atikmdag.sys [?]

S3 amdkmdap;amdkmdap;C:\windows\system32\DRIVERS\atikmpag.sys --> C:\windows\system32\DRIVERS\atikmpag.sys [?]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-24 136176]

S3 JMCR;JMCR;C:\windows\system32\DRIVERS\jmcr.sys --> C:\windows\system32\DRIVERS\jmcr.sys [?]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]

S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]

S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\system32\DRIVERS\rtl8192Ce.sys --> C:\windows\system32\DRIVERS\rtl8192Ce.sys [?]

S3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]

S3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]

S3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]

S3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]

S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-9-14 219496]

S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-3-12 54136]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]

S3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-3-31 835952]

S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2012-01-20 05:59:19 514560 ----a-w- C:\windows\SysWow64\qdvd.dll

2012-01-20 05:59:19 366592 ----a-w- C:\windows\System32\qdvd.dll

2012-01-20 05:59:19 1572864 ----a-w- C:\windows\System32\quartz.dll

2012-01-20 05:59:19 1328128 ----a-w- C:\windows\SysWow64\quartz.dll

2012-01-20 05:59:18 1731920 ----a-w- C:\windows\System32\ntdll.dll

2012-01-20 05:59:18 1292080 ----a-w- C:\windows\SysWow64\ntdll.dll

2012-01-20 05:59:17 77312 ----a-w- C:\windows\System32\packager.dll

2012-01-20 05:59:17 67072 ----a-w- C:\windows\SysWow64\packager.dll

2012-01-20 05:53:01 -------- d-sh--w- C:\$RECYCLE.BIN

2012-01-20 05:29:03 98816 ----a-w- C:\windows\sed.exe

2012-01-20 05:29:03 518144 ----a-w- C:\windows\SWREG.exe

2012-01-20 05:29:03 256000 ----a-w- C:\windows\PEV.exe

2012-01-20 05:29:03 208896 ----a-w- C:\windows\MBR.exe

2012-01-07 22:04:02 -------- d--h--w- C:\ProgramData\Common Files

2012-01-07 22:03:48 -------- d-----w- C:\ProgramData\MFAData

2012-01-07 20:14:27 23152 ----a-w- C:\windows\System32\drivers\mbam.sys

2012-01-07 20:14:27 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-12-27 16:42:05 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{20AD4DE2-C0FF-417F-AF0C-463CC23D7FD6}\mpengine.dll

.

==================== Find3M ====================

.

2011-11-24 04:52:09 3145216 ----a-w- C:\windows\System32\win32k.sys

2011-11-16 15:42:04 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-11-05 05:32:50 2048 ----a-w- C:\windows\System32\tzres.dll

2011-11-05 04:26:03 2048 ----a-w- C:\windows\SysWow64\tzres.dll

2011-11-04 01:53:39 2309120 ----a-w- C:\windows\System32\jscript9.dll

2011-11-04 01:44:47 1390080 ----a-w- C:\windows\System32\wininet.dll

2011-11-04 01:44:21 1493504 ----a-w- C:\windows\System32\inetcpl.cpl

2011-11-04 01:34:43 2382848 ----a-w- C:\windows\System32\mshtml.tlb

2011-11-03 22:47:42 1798144 ----a-w- C:\windows\SysWow64\jscript9.dll

2011-11-03 22:40:21 1427456 ----a-w- C:\windows\SysWow64\inetcpl.cpl

2011-11-03 22:39:47 1127424 ----a-w- C:\windows\SysWow64\wininet.dll

2011-11-03 22:31:57 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb

2011-10-26 05:21:20 43520 ----a-w- C:\windows\System32\csrsrv.dll

.

============= FINISH: 1:38:24.07 ===============

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

I apologize for the extended delay.

Update MBAM, run a Quick Scan, and post its log.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites
hackersbyte

hackersbyte

Posted
  • Author
Posted

I had a little trouble with Eset in Safe Mode. When I went online with IE, the windows were so oversized I had trouble seeing the contents of the window despite attempting to resize them. I did run the program and it said it had detected Windows Defender and it may interfere with the Eset.

Windows Defender would not show up in search Programs and Files nor could I access it from the Help link. I finally got to it through System Configuration but it said it was not running so I went ahead and ran Eset. I did not get any warnings about Avast like ComboFix gave me though.

At step 3 of Eset it said it had detected and deleted a malicious program and gave me the option of "seeing" what it was. It did not mention anything about a log file. I did save this one line report to Notepad and it is listed below. I then clicked Finish for Step 4 and a pop-up came up asking me to buy or download their free trial but there was no way to close it out. I looked in my Program Files for the file you mentioned in your instructional post but there was nothing there. Nothing came up in the search Programs and Files either except for what I said I saved. I don't know what happened but I hope I got what you needed from it. I had to close IE to get out of that pop-up.

I had no problems with your program.

Malwarebytes Anti-Malware 1.60.0.1800

www.malwarebytes.org

Database version: v2012.01.27.06

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

M :: M-PC [administrator]

1/27/2012 5:12:04 PM

mbam-log-2012-01-27 (17-12-04).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 177946

Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

C:\Users\M\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\6df58b5b-36edf5f9 a variant of Win32/Kryptik.YDB trojan cleaned by deleting - quarantined

Results of screen317's Security Check version 0.99.30

Windows 7 x64 (UAC is enabled)

Internet Explorer 9

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Java 6 Update 20

Java version out of date!

Adobe Reader 9 Adobe Reader out of date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

I then restarted my computer in Normal Mode. It seems ok. IE seems to open up a wee bit slower than I remember--but it has also been awhile since I've been able to use it in Normal Mode so maybe it's me...

I do have a faded out icon with the label desktop under it on my screen that I never had before. The properties say it is desktop.ini and was created and last accessed 06/24/2011. Where did that come from???

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Delete the desktop.ini and see if it returns.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Reboot.

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Run TFC by OldTimer to clear temporary files:

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):

ESET Online Scanner v3

Java™ 6 Update 20

Adobe Reader 9 Adobe Reader out of date!

Restart your computer.

Get the latest version of Java, Adobe Reader, and Adobe Flash Player.

Next, please run the PCPitstop Full Tests here (NOT the PCMatic scan or any other scan; simply register with the box on the left and you will be taken to the Full Tests/Overdrive Test). When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

Link to post
Share on other sites
hackersbyte

hackersbyte

Posted
  • Author
Posted

[edited link out -screen317]

The desktop.ini file did not reappear after re booting. Windows did say it was installing 17 or 471 components and a few other numbers on the reboot.

I could only find the comboFix notepad file so that was not uninstalled. I thought I had installed a copy of it on my laptop from my USB stick to run it but I guess it ran from the stick?

When I downloaded the TFC.exe file it asked me to close IE prior to running it but when I did I had a heck of a time finding it on my laptop. It wouldn't show up in the search programs and files from the Start Menu. I'm only started using Windows 7 in 2011 and have had this issue before so I don't know if it is related to 7 or the bug I had...

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Put a copy of ComboFix on your Desktop and try this command:

"%userprofile%\desktop\ComboFix.exe" /uninstall

TFC isn't saying to delete IE. Just close any open instances.

Defragmenting is a must. It's one of the large reasons for system slowdowns. I use Defraggler to defragment. It is free to download and you can use it forever. I recommend installing it and defragmenting as soon as possible.

Link to post
Share on other sites
hackersbyte

hackersbyte

Posted
  • Author
Posted

Rather than trying to download the copy of ComboFix from my USB, I downloaded it from bleepingcomputer.com I followed their instructions to select run but did not allow the program to start the acutal application.

I tried your uninstall instructions and Windows 7 is still telling me the program is not found. Although if I typed ComboFix in the search box it was found in the downloads folder.

I went to my downloads file and created a shortcut on my desktop and then deleted it from the downloads file. Once I did that I finally got a window that said ComboFix was uninstalled. However, the shortcut still appeared on my desktop and if I opened it, the black dialog box showing the program starting opened which I immediately closed. For now, both the short cut and the program are in my recycle bin but is it really uninstalled?

When Defraggle asked me if I wanted to delete the items in my Recycle bin prior to defragging I said no, as I wasn't sure if it would mess things up as I'm not totally sure ComboFix is uninstalled. Defraggle is still running.

Thanks for the heads up on Defraggle. It said it would take 3 hours. At least now I know how long it will take vs. the Windows 7 defrag guessing game.

When I downloaded the TFC.exe file it asked me to close IE prior to running it but when I did I had a heck of a time finding it on my laptop.

TFC isn't saying to delete IE. Just close any open instances.

I understood that part, I just couldn't figure out why the TFC program was so hard to find after downloading it. I'm pretty new to Windows 7. I don't get a dialog box asking me where I want to save a file to when downloading like I did in XP, I guess I have to check into that when this is fixed. I'm staying off the infected computer unless you give me instructions and when I get the all clear to reinstall Avast and install the paid version of Malwarebytes.

Any ideas on the ComboFix question?

Link to post
Share on other sites
hackersbyte

hackersbyte

Posted
  • Author
Posted

No worries on the delay. I deleted the ComboFix files as you instructed and emptied the recycle bin. I then repeated the downloading instructions for ComboFix in #14.

I am still unable to use the uninstall instructions. Apparently IE9 sends ALL downloads to the downloads file as a default. I can change the settings slightly but not enough to help with downloading an application. I had to cut ComboFix from the downloads file and paste it to the Program Files. Apparently I am not able to just drag it there with IE 9.

You can see from the images that ComboFix was indeed downloaded onto my computer but for some reason the normal uninstall or program location methods are not working with IE9.

I am leaving things as you see and awaiting further instructions.

Thank you.

post-104731-0-09417200-1329272360.png

post-104731-0-29195300-1329272373.png

post-104731-0-87338500-1329272390.png

Link to post
Share on other sites
hackersbyte

hackersbyte

Posted
  • Author
Posted

:blush: Oh for cryin' out loud. I've only been staring and typing that in for what a week now? Next time I'll zoom in :blush:

Thank you. Once I typed the correct command it worked. Still don't understand why ComboFix wouldn't show up in a search but at least that's taken care of.

Should I re-install my antivirus and run that and another quick scan to be sure I'm not infected anymore?

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

:lol: It happens to the best of us. Well at least it was that and not something wrong with the computer.. ;)

Yes reinstall your antivirus! Update it and then run a scan.

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.