33 replies to this topic

[tysonboh]

Hi, last saturday, a pop up box appeared, wanting me to open something called windows command processor, i clicked no, then it instantly popped up again, and continued to do so, after a quick search i realised it was a virus, i followed some online instructions, doing things like downloading rkill and malwarebytes, and using both in safe mode to remove the virus, yet it has not removed it, the pop up keeps appearing when i boot in normal mode. so i came here for help. also take note that i have not accepted the pop up box once, i exit it everytime untill it goes down into the toolbar.

i ran the log things on the DDS program as well, here are the two logs.

any help would be greatly appreciated, as this is a major inconvience to me. thanks

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.19272 BrowserJavaVersion: 1.6.0_29
Run by USER at 22:23:36 on 2012-07-05
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\regedit.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\USER\Downloads\dds.scr
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.facebook.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll
mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Complitly: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\users\user\appdata\roaming\complitly\Complitly.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll
BHO: Complitly: {d27fc31c-6e3d-4305-8d53-acdaefa5f862} - c:\users\user\appdata\roaming\complitly\Complitly.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [Facebook Update] "c:\users\user\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [HbxTfbyd] c:\users\user\appdata\local\cujhubpm\hbxtfbyd.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11e_Plugin.exe -update plugin
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [FingerPrintNotifer] "c:\program files\truesuite access manager\FpNotifier.exe"
mRun: [UsbMonitor] "c:\program files\truesuite access manager\usbnotify.exe"
mRun: [PwdBank] "c:\program files\truesuite access manager\PwdBank.exe"
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRunOnce: [GrpConv] grpconv -o
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.88.1
TCP: Interfaces\{67546975-2D87-494D-AB3C-65D4D5547D83} : DhcpNameServer = 192.168.88.1
TCP: Interfaces\{9B623AC4-5DD2-4064-99A8-EBC993945FAC} : DhcpNameServer = 192.168.88.1
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\users\user\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\user\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\users\user\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\plugins\np-mswmp.dll
FF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\extensions\battlefieldheroespatcher@ea.com\plugins\npBFHUpdater.dll
.
============= SERVICES / DRIVERS ===============
.
R? Authentec memory manager;Authentec memory manager service
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? ConfigFree Service;ConfigFree Service
R? EraserUtilRebootDrv;EraserUtilRebootDrv
R? FontCache;Windows Font Cache Service
R? IDSvix86;Symantec Intrusion Prevention Driver
R? massfilter;ZTE Mass Storage Filter Driver
R? MozillaMaintenance;Mozilla Maintenance Service
R? SBSDWSCService;SBSD Security Center Service
R? Symantec Core LC;Symantec Core LC
R? SYMNDISV;SYMNDISV
R? TOSHIBA SMART Log Service;TOSHIBA SMART Log Service
R? TrojanKillerDriver;GridinSoft Trojan Killer Driver
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
R? ZTEusbnet;ZTE USB-NDIS miniport
S? AlfaFF;AlfaFF mini-filter driver
S? FwLnk;FwLnk Driver
S? NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit
.
=============== Created Last 30 ================
.
2012-07-04 12:45:59 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
2012-07-04 05:22:09 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f7bdeaaa-f8e4-4513-a34e-69a86815d46a}\mpengine.dll
2012-06-30 10:46:38 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-06-30 05:00:24 93708 --s---w- c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exe
2012-06-22 01:25:24 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-22 01:24:37 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-22 01:24:25 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-22 01:24:25 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-20 08:09:42 -------- d-----w- c:\program files\Microsoft XNA
2012-06-20 08:09:25 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2012-06-20 08:09:25 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2012-06-20 08:09:24 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2012-06-20 08:09:24 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2012-06-20 08:09:22 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2012-06-20 08:09:22 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2012-06-20 08:09:20 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2012-06-20 08:07:57 -------- d-----w- c:\program files\Superfighters Deluxe
2012-06-19 10:09:04 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-19 10:09:04 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-14 07:58:07 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-06-14 07:58:06 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-14 07:58:06 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-14 07:24:12 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 07:24:10 2045440 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2012-05-15 06:37:49 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 06:32:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-15 06:32:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-15 06:31:44 109056 ----a-w- c:\windows\system32\iesysprep.dll
2012-05-15 06:31:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2012-05-15 05:01:56 385024 ----a-w- c:\windows\system32\html.iec
2012-05-15 03:26:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-15 03:23:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-24 11:50:49 737280 ----a-w- c:\windows\iun6002.exe
.
============= FINISH: 22:24:52.84 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 9/09/2011 10:17:24 AM
System Uptime: 5/07/2012 10:05:16 PM (0 hours ago)
.
Motherboard: Intel Corp. | | Base Board Product Name
Processor: Intel® Core™2 Duo CPU T5750 @ 2.00GHz | CPU | 2120/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 179 GiB total, 13.358 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0001
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0001
Service: tunmp
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.1.0
Adobe Shockwave Player 11.6
AppCore
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
ATI Catalyst Install Manager
µTorrent
Audacity 2.0
AV
AviSynth 2.5
Battlefield Heroes
Bluetooth Stack for Windows by Toshiba
Bonjour
Camera Assistant Software for Toshiba
Canon Easy-WebPrint EX
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Navigator EX 3.0
Canon MP270 series MP Drivers
Canon Utilities Digital Photo Professional 3.10
Canon Utilities Easy-PhotoPrint EX
Canon Utilities EOS Utility
Canon Utilities EOS Video Snapshot Task for ZoomBrowser EX
Canon Utilities Movie Uploader for YouTube
Canon Utilities My Printer
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities Solution Menu
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Dutch
CCC Help English
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Portuguese
CCC Help Spanish
CCC Help Swedish
ccCommon
CD/DVD Drive Acoustic Silencer
CDisplay 1.8
Celtx (2.9.1)
Comical 0.8
ComicRack v0.9.153
Complitly
DVD MovieFactory for TOSHIBA
Facebook Video Calling 1.2.0.159
FM Tuner Utility
Freecorder 2.3 (with Skype Call Recording)
Freecorder 5
Freecorder Toolbar
Google Chrome
HandBrake 0.9.6
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel® Matrix Storage Manager
iTunes
Java Auto Updater
Java™ 6 Update 29
Java™ 6 Update 3
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Office Standard Edition 2003
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Microsoft XNA Framework Redistributable 3.1
Mozilla Firefox 13.0.1 (x86 en-US)
Mozilla Maintenance Service
MSRedist
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Pando Media Booster
PunkBuster Services
QuickTime
Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Windows Media Encoder (KB2447961)
Skins
SPBBC 32bit
Spybot - Search & Destroy
Superfighters Deluxe Pre-Alpha
swMSM
Symantec Real Time Storage Protection Component
SymNet
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
TOSHIBA Recovery Disc Creator
TOSHIBA SD Memory Utilities
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Trojan Killer
TrueSuite Access Manager
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
uTorrentBar Toolbar
VLC media player 2.0.1
Windows Driver Package - Cmotech (cmusbnet) Net (06/11/2007 2.0.0.9)
Windows Driver Package - Cmotech Modem (12/13/2006 2.0.3.5)
Windows Driver Package - Cmotech Ports (12/13/2006 2.0.3.5)
Windows Media Encoder 9 Series
.
==== Event Viewer Messages From Past Week ========
.
5/07/2012 10:07:57 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
5/07/2012 10:07:18 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl SPBBCDrv spldr SRTSPX SYMTDI Wanarpv6
5/07/2012 10:07:18 PM, Error: Service Control Manager [7001] - The Windows Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
5/07/2012 10:07:18 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
5/07/2012 10:06:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
5/07/2012 10:06:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
5/07/2012 10:06:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
5/07/2012 10:06:21 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/07/2012 10:06:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
5/07/2012 10:05:57 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
5/07/2012 10:05:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
4/07/2012 3:50:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
.
==== End Of File ===========================

Edited by Maurice Naggar, 05 July 2012 - 08:23 AM.
Logs In-line

[Maurice Naggar]

Hello tysonboh,

Going forward, do NOT attach log/reports. Always Copy & Paste contents into main-body of reply-box !

Tell me if you have a current license for Norton/Symantec, or whether this pc used to have a trial version of some Symantec app ??

Please follow my guidance.

• Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
  >> from here <<
  
• Quit all programs that you may have started.
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  For Windows XP, double-click to start.
  
• Wait until Prescan has finished ...
  
• Then Click on Scan button at upper right of screen.
  
• Wait until the Status box shows "Scan Finished"
  
• Click on Report and copy/paste the content of the Notepad into your next reply.
  
• The log should be found in RKreport[1].txt on your Desktop
  
• Exit/Close RogueKiller

[Maurice Naggar]

P.S.
Your logs showed some peer-to-peer filesharing apps: uTorrent. I do not recommend the use of P-2-P programs since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.
Risks of File-Sharing Technology.

P2P file sharing: Know the risks

De-install (remove) uTorrent and any other peer-to-peer app AND confirm doing so.

I would also recommend the removal of the ASK toolbar.

All of this is just a starter. There's a whole lot of things to follow.
Do NOT do any websurfing, NO online banking, NO online transactions.
Just only go to this forum and the websites I guide you to.

[tysonboh]

yes i did have norton antivirus, which has recently expired and i was yet to renew my subscription.

also here is the log from the recently asked scan.

RogueKiller V7.6.2 [07/02/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User: USER [Admin rights]
Mode: Scan -- Date: 07/05/2012 23:40:19

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-862659715-177543783-37968287-1003[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHY2200BH +++++
--- User ---
[MBR] 7df079e97d313bc9037b9c8b17b36d9c
[BSP] 59cdd0f62e430d3ee99792baf5e868e5 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 182987 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 377831424 | Size: 6286 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

[tysonboh]

also i uninstalled utorrent, yet was unable to uninstall the ask toolbar

[tysonboh]

also, whilst doing all of this, would you like me to stay in safe mode with networking? its what im in at the moment.

[Maurice Naggar]

For the time being, Safe Mode with Networking is ok. Please try to do the following ....if possible.... and then post and await my next reply.

Use your browser to go here at Virustotal website
Click the Choose File button and then navigate to C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe, then click the Scan it button.
The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

==
Use your browser to go here at VirSCAN.org website
Click the Browse button and then navigate to C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe, then click the Upload button.

Save the results, and post back here in a reply.

[tysonboh]

nothing happened when i clicked on the browse or choose file buttons on both websites, using firefox, but then i switched to internet explorer and it worked, the results from the first website were



File already analysed


This file was already analysed by VirusTotal on 2012-06-30 01:17:27.
Detection ratio: 3/42
You can take a look at the last analysis or analyse it again now.

i then clicked to look at the last analysis and it said

SHA256: 4c88fa0048c8ab984c6a8ec730b11332cafcb5d9d5805772aba6d22fb1cd6cf1 SHA1: f1816ff44af8796ebfa1addc391b4554d9d45eed MD5: 98ec79dd327cba948331972d5d69ea8a File size: 91.5 KB ( 93708 bytes ) File name: 00ED56ED0C8ACB406ED701A8D72FB900F260307A.exe File type: Win32 EXE Detection ratio: 3 / 42 Analysis date:
2012-06-30 01:17:27 UTC ( 5 days, 12 hours ago )

then i did the scan on the second website and these were the results



VirSCAN.org Scanned Report :
Scanned time : 2012/07/06 00:09:02 (EST)
Scanner results: 28% Scanner(s) (10/36) found malware!
File Name : hbxtfbyd.exe
File Size : 93708 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 98ec79dd327cba948331972d5d69ea8a
SHA1 : f1816ff44af8796ebfa1addc391b4554d9d45eed
Online report : http://r.virscan.org...ce16b58c1d26363

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120705120340 2012-07-05 9.62 Backdoor.Win32.Azbreg!IK
AhnLab V3 ... .. -- 0.44 -
AntiVir 8.2.10.80 7.11.32.106 2012-06-09 0.17 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.27 -
Arcavir 2011 201206041805 2012-06-04 4.47 -
Authentium 5.1.1 201207050736 2012-07-05 1.77 -
AVAST! 4.7.4 120704-1 2012-07-04 0.21 Win32:Rootkit-gen [Rtk]
AVG 12.0.1787 2437/5112 2012-07-05 0.44 BackDoor.Generic15.BGUU
BitDefender 7.90123.7.90123 7.90123 2012-07-05 0.17 -
ClamAV 0.97.3 15110 2012-07-05 0.26 -
Comodo 5.1 12837 2012-07-05 2.83 -
CP Secure 1.3.0.5 2012.07.05 2012-07-05 0.50 -
Dr.Web 7.0.2.4281 2012.07.03 2012-07-03 13.03 -
F-Prot 4.6.2.117 20120702 2012-07-02 1.07 -
F-Secure 7.02.73807 2012.07.05.01 2012-07-05 0.22 -
Fortinet 4.3.392 15.797 2012-07-04 0.22 W32/Azbreg.ARX!tr.bdr
GData 22.5501 20120705 2012-07-05 5.34 -
ViRobot 20120704 2012.07.04 2012-07-04 0.40 -
Ikarus T3.1.32.20.0 2012.07.05.81674 2012-07-05 5.99 Backdoor.Win32.Azbreg
JiangMin 13.0.900 2012.07.04 2012-07-04 2.17 -
Kaspersky 5.5.10 2012.07.01 2012-07-01 0.25 Backdoor.Win32.Azbreg.arx
KingSoft 2009.2.5.15 2012.7.5.9 2012-07-05 0.88 -
McAfee 5400.1158 6762 2012-07-04 8.63 Generic.dx!b2x4
Microsoft 1.8502 2012.07.05 2012-07-05 4.15 -
NOD32 3.0.21 7273 2012-07-05 0.17 Win32/Ramnit.A virus
Panda 9.05.01 2012.07.05 2012-07-05 5.01 -
Trend Micro 9.500-1005 9.236.02 2012-07-04 0.22 -
Quick Heal 11.00 2012.07.04 2012-07-04 1.20 Backdoor.Azbreg.arx
Rising 20.0 24.17.01.03 2012-07-03 2.92 -
Sophos 3.32.0 4.78 2012-07-05 5.39 -
Sunbelt 3.9.2540.2 12173 2012-07-04 0.97 Trojan.Win32.Generic!BT
Symantec 1.3.0.24 20120704.002 2012-07-04 0.43 -
nProtect 20120704.01 11565106 2012-07-04 1.34 -
The Hacker 6.8.0.0 v00050 2012-07-04 0.71 -
VBA32 3.12.18.0 20120705.0834 2012-07-05 4.04 -
VirusBuster 5.5.1.3 15.0.85.0/9045113 2012-07-05 0.23 -

[Maurice Naggar]

Good thinking on the usage of IE browser <w>

This system has what appears to be a backdoor trojan infection. This likely can be cleaned up. BUT "if" it has a Ramnit virus infection, those are not cureable !
This is a point where you need to decide about whether to make a clean start.
According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.
You are strongly advised to do the following immediately.
1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.
2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.
3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.
* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh. While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions. You may "want to consider" a full reformat and reinstall of Windows rather than clean the system.
Let me know what you decide !

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan
Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx
Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html
When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451
Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx
Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx
Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx
Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

[tysonboh]

okay, well i guess i would first like to try and clean up this virus if possible, this isnt really a computer used for any online bankings etc, the only thing close to that is the occasional ebay purchase which i havent done in a while (long before getting the virus). its mainly a recreational use kind of computer for surfing the internet etc.

so what options do i really have? it would be good to just be able to try and clean the virus up and i might get some of the main things off the computer that i want, then maybe reset it from there. but also i have not accepted that pop up once, does that make any difference to the case? the pop-up is the only thing that occurs which i cancel everytime, nothing else happens.

[Maurice Naggar]

Reposting this since the one just earlier has an alignment issue !!

I'll proceed to squash this malware, if you will follow my guide. Just by the way, anytime you have a "rogue" and when it is in the foreground, press ALT & hold & then F4 key on keyboard. Just do not click any "buttons" on the rogue-window itself.

Not a show-stopper. Run this script and then let it finish. If it does finish without a hitch, I need for you to run a new (fresh) DDS & post just the DDS.txt (Copy & Paste).

I will have more for you afterwards.

We Need to Run a Batch Script

• Press the Windows-key on keyboard.
  
• In the box, type notepad and press Enter.
  
• Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.
  

  sc stop HbxTfbyd
  sc delete HbxTfbyd
  attrib -s c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exe
  ren c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exe hbxtfbyd.exx
  attrib -s C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe
  ren C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe hbxtfbyd.exZ
  del /f /q "%~f0"

• Select File -> Save AS.
  
• Press the Desktop button on the left side of the save dialog.
  
• In the box, type in Fix.bat.
  
• Press .
  
• Close Notepad.
  
• Right click on your desktop, and choose .
  
• Press Yes if prompted by User Account Control.

[tysonboh]

everything went well, heres the DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.19272 BrowserJavaVersion: 1.6.0_29
Run by USER at 1:03:40 on 2012-07-06
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2045.1432 [GMT 10:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.facebook.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll
mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Complitly: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\users\user\appdata\roaming\complitly\Complitly.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll
BHO: Complitly: {d27fc31c-6e3d-4305-8d53-acdaefa5f862} - c:\users\user\appdata\roaming\complitly\Complitly.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [Facebook Update] "c:\users\user\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [HbxTfbyd] c:\users\user\appdata\local\cujhubpm\hbxtfbyd.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [FingerPrintNotifer] "c:\program files\truesuite access manager\FpNotifier.exe"
mRun: [UsbMonitor] "c:\program files\truesuite access manager\usbnotify.exe"
mRun: [PwdBank] "c:\program files\truesuite access manager\PwdBank.exe"
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
StartupFolder: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.88.1
TCP: Interfaces\{67546975-2D87-494D-AB3C-65D4D5547D83} : DhcpNameServer = 192.168.88.1
TCP: Interfaces\{9B623AC4-5DD2-4064-99A8-EBC993945FAC} : DhcpNameServer = 192.168.88.1
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\users\user\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\user\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\users\user\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\plugins\np-mswmp.dll
FF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\extensions\battlefieldheroespatcher@ea.com\plugins\npBFHUpdater.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AlfaFF;AlfaFF mini-filter driver;c:\windows\system32\drivers\AlfaFF.sys [2011-9-8 43440]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-2-12 7168]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20111208.001\IDSvix86.sys [2011-12-9 287792]
S2 Authentec memory manager;Authentec memory manager service;c:\windows\system32\TAMSvr.exe [2011-9-8 49152]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-26 40960]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-9-9 1153368]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-10 106104]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-26 113120]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2011-9-13 1251720]
S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-8-3 38448]
S3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\drivers\gtkdrv.sys [2012-1-5 16128]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-07-05 13:21:11 -------- d-----w- c:\users\user\appdata\local\cujhubpm
2012-07-04 12:45:59 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
2012-07-04 05:22:09 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f7bdeaaa-f8e4-4513-a34e-69a86815d46a}\mpengine.dll
2012-06-30 10:46:38 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-06-30 05:00:24 93708 --s---w- c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exe
2012-06-22 01:25:24 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-22 01:24:37 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-22 01:24:25 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-22 01:24:25 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-20 08:09:42 -------- d-----w- c:\program files\Microsoft XNA
2012-06-20 08:09:25 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2012-06-20 08:09:25 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2012-06-20 08:09:24 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2012-06-20 08:09:24 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2012-06-20 08:09:22 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2012-06-20 08:09:22 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2012-06-20 08:09:20 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2012-06-20 08:07:57 -------- d-----w- c:\program files\Superfighters Deluxe
2012-06-19 10:09:04 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-19 10:09:04 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-14 07:58:07 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-06-14 07:58:06 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-14 07:58:06 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-14 07:24:12 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 07:24:10 2045440 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2012-05-15 06:37:49 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 06:32:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-15 06:32:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-15 06:31:44 109056 ----a-w- c:\windows\system32\iesysprep.dll
2012-05-15 06:31:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2012-05-15 05:01:56 385024 ----a-w- c:\windows\system32\html.iec
2012-05-15 03:26:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-15 03:23:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-24 11:50:49 737280 ----a-w- c:\windows\iun6002.exe
.
============= FINISH: 1:04:49.55 ===============

[Maurice Naggar]

We can stay in Safe Mode with Networking for a while. I'll have you restart into Normal mode at some point, soon.

Step 1
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT by doing a Right-Click on it & select Run As Admisnistrator

4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 2
Show all files:

• Click the Start button, and then click Computer.
  
• On the Organize menu, click Folder and Search Options.
  
• Click the View tab.
  
• Locate and uncheck Hide file extensions for known file types.
  
• Locate and uncheck Hide protected operating system files (Recommended).
  
• Locate and click Show hidden files and folders.
  
• Click Apply > OK.

Step 3
Save and close any work documents, close any apps that you started.
Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.
Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste this MBAM scan log in a reply.
Now proceed to next step.

Step 4

• Quit all programs that you may have started.
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• Start ROGUEKILLER:
  For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  For Windows XP, double-click to start.
  
• Wait until Prescan has finished ...
  
• Then Click on Scan button at upper right of screen.
  
• Wait until the Status box shows "Scan Finished"
  
• Click on Report and copy/paste the content of the Notepad into your next reply.
  
• The log should be found in RKreport[2].txt on your Desktop
  
• Exit/Close RogueKiller

Copy and Paste RKReport2 into a new reply.
and proceed to next step.

Step 5
You will want to print out or copy these instructions to Notepad for offline reference!
These steps are for member tysonboh only. If you are a casual viewer, do NOT try this on your system!
If you are not tysonboh and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages
It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.
You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.
Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system


Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".

• A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
  
  When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.


A file will be created at => C:\Combofix.txt.
Note:
Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

Reply with a copy of the C:\Combofix.txt log

Re-enable your antivirus app.

Edited by Maurice Naggar, 05 July 2012 - 10:18 AM.

[tysonboh]

i am unable to do step 2, there are no menus/above toolbar

[Maurice Naggar]

Press the ALT key to see menu options in Windows Explorer. Then try.

If get stuck, move on to next step

[tysonboh]

nevermind i fixed step 2

[tysonboh]

here is the scan from mbam, there were no infections found though.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.05.05

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.19272
USER :: USER-PC [administrator]

6/07/2012 1:30:59 AM
mbam-log-2012-07-06 (01-30-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213855
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

heres the roguekiller scan

RogueKiller V7.6.2 [07/02/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User: USER [Admin rights]
Mode: Scan -- Date: 07/06/2012 01:38:10

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-862659715-177543783-37968287-1003[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHY2200BH +++++
--- User ---
[MBR] 7df079e97d313bc9037b9c8b17b36d9c
[BSP] 59cdd0f62e430d3ee99792baf5e868e5 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 182987 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 377831424 | Size: 6286 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

now as for step 5, as it may take a while, and its 1.45 in the morning here, im just going to turn off my computer right now and go to sleep and continue this in the morning, thanks for the help so far, but ill have to get back to this tomorrow.

[tysonboh]

okay so here is the mbam log

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.05.05

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.19272
USER :: USER-PC [administrator]

6/07/2012 12:00:22 PM
mbam-log-2012-07-06 (12-00-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213789
Time elapsed: 4 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

the roguekiller log

RogueKiller V7.6.2 [07/02/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User: USER [Admin rights]
Mode: Scan -- Date: 07/06/2012 12:06:04

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-862659715-177543783-37968287-1003[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHY2200BH +++++
--- User ---
[MBR] 7df079e97d313bc9037b9c8b17b36d9c
[BSP] 59cdd0f62e430d3ee99792baf5e868e5 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 182987 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 377831424 | Size: 6286 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt



and the combofix log

ComboFix 12-07-05.04 - USER 06/07/2012 12:12:49.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2045.1529 [GMT 10:00]
Running from: c:\users\USER\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Complitly
c:\program files\Complitly\chrome\ComplitlyChrome.crx
c:\program files\Complitly\FireFoxExtension.exe
c:\program files\Complitly\InstTracker.exe
c:\program files\Complitly\support@Complitly.com\chrome.manifest
c:\program files\Complitly\support@Complitly.com\chrome\content\appIcon.png
c:\program files\Complitly\support@Complitly.com\chrome\content\browserOverlay.xul
c:\program files\Complitly\support@Complitly.com\chrome\content\options.js
c:\program files\Complitly\support@Complitly.com\chrome\content\options.xul
c:\program files\Complitly\support@Complitly.com\chrome\content\utils.js
c:\program files\Complitly\support@Complitly.com\defaults\preferences\predictad.js
c:\program files\Complitly\support@Complitly.com\install.rdf
c:\program files\Complitly\unins000.dat
c:\program files\Complitly\unins000.exe
c:\users\USER\AppData\Local\bclcobqq.log
c:\users\USER\AppData\Local\hqynaqbm.log
c:\users\USER\AppData\Local\ihgbsnfm.log
c:\users\USER\AppData\Local\nsxrwhop.log
c:\users\USER\AppData\Local\qlvjivut.log
c:\users\USER\AppData\Local\uqqnymdj.log
c:\users\USER\AppData\Local\vcqldfng.log
c:\users\USER\AppData\Roaming\Love
c:\users\USER\AppData\Roaming\Love\mari0\options.txt
c:\users\USER\AppData\Roaming\Love\not_tetris_2\highscoresA.txt
c:\users\USER\AppData\Roaming\Love\not_tetris_2\highscoresB.txt
c:\users\USER\AppData\Roaming\Love\not_tetris_2\options.txt
c:\windows\iun6002.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))
.
.
2012-07-05 15:18 . 2012-07-05 15:19 -------- d-----w- c:\program files\ERUNT
2012-07-05 13:21 . 2012-07-05 15:02 -------- d-----w- c:\users\USER\AppData\Local\cujhubpm
2012-07-04 12:45 . 2008-07-30 07:42 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
2012-07-04 05:22 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F7BDEAAA-F8E4-4513-A34E-69A86815D46A}\mpengine.dll
2012-06-30 10:46 . 2012-06-30 11:07 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-06-30 05:00 . 2012-06-30 05:00 93708 --s---w- c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hbxtfbyd.exe
2012-06-22 01:25 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-22 01:25 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-22 01:25 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-22 01:25 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-22 01:24 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-22 01:24 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-22 01:24 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-22 01:24 . 2012-06-02 05:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-22 01:24 . 2012-06-02 05:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-20 08:09 . 2012-06-20 08:09 -------- d-----w- c:\program files\Microsoft XNA
2012-06-20 08:09 . 2009-03-16 04:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2012-06-20 08:09 . 2009-03-16 04:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2012-06-20 08:09 . 2009-03-16 04:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2012-06-20 08:09 . 2009-03-16 04:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2012-06-20 08:09 . 2007-04-04 08:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2012-06-20 08:09 . 2007-03-12 06:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2012-06-20 08:09 . 2006-09-28 06:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2012-06-20 08:07 . 2012-06-20 08:07 -------- d-----w- c:\program files\Superfighters Deluxe
2012-06-19 10:09 . 2012-06-19 10:09 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-19 10:09 . 2012-06-19 10:09 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-14 07:58 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-06-14 07:58 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-14 07:58 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-14 07:24 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 07:24 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-19 10:09 . 2011-11-11 08:13 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-05-09 08:49 176936 ----a-w- c:\program files\Freecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-05-09 09:49 176936 ----a-w- c:\program files\uTorrentBar\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-23 10:20 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]
@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"
[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]
2007-04-20 01:40 118784 ----a-w- c:\program files\TrueSuite Access Manager\IconOvrly.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-02-06 137536]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"NDSTray.exe"="NDSTray.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-29 4911104]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-15 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"FingerPrintNotifer"="c:\program files\TrueSuite Access Manager\FpNotifier.exe" [2008-01-24 671744]
"UsbMonitor"="c:\program files\TrueSuite Access Manager\usbnotify.exe" [2007-06-05 94208]
"PwdBank"="c:\program files\TrueSuite Access Manager\PwdBank.exe" [2008-02-01 3150848]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-08-23 887976]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2011-03-24 167936]
.
c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
hbxtfbyd.exe [2012-6-30 93708]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003Core.job
- c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-06 05:59]
.
2012-07-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003UA.job
- c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-06 05:59]
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003Core.job
- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 10:47]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003UA.job
- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 10:47]
.
2012-06-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - USER.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 02:09]
.
2012-07-05 c:\windows\Tasks\User_Feed_Synchronization-{F3431E30-F412-43CE-91E3-3CD359877F65}.job
- c:\windows\system32\msfeedssync.exe [2012-06-14 03:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.88.1
FF - ProfilePath - c:\users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\1qolu3le.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe
HKCU-Run-HbxTfbyd - c:\users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe
AddRemove-Freecorder_1.0 - c:\windows\iun6002.exe
AddRemove-{4FFBB818-B13C-11E0-931D-B2664824019B}_is1 - c:\program files\Complitly\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-06 12:18
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1928)
c:\program files\TrueSuite Access Manager\IconOvrly.dll
.
Completion time: 2012-07-06 12:21:36
ComboFix-quarantined-files.txt 2012-07-06 02:21
.
Pre-Run: 13,369,495,552 bytes free
Post-Run: 13,484,347,392 bytes free
.
- - End Of File - - E54F07FAB8D43002BAE4302CF457585B

[Maurice Naggar]

You will want to print out or copy these instructions to Notepad for offline reference!

I am going to have you get a fresh copy of Combofix, save it first, and then run a special script.
There's still some stubborn malware laying about.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=112037
KILLALL::

Collect::[4]
c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hbxtfbyd.exe

Driver::
HbxTfbyd

Folder::
c:\users\USER\AppData\Local\cujhubpm

Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.
When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 3
Reply with the latest C:\Combofix.txt
and the latest MBAM scan log
and tell me, How is your system now ?

[tysonboh]

okay so i did the combofix thing, and after it was done it must have restarted the computer, but it restarted in normal mode, in normal mode these blue combofix boxes kept flashing up all over the screen, after waiting a while i realised this wasnt right, turned it off and opened it again in safe mode with networking. combofix was up again but working properly and it finished its thing. heres the log

ComboFix 12-07-05.04 - USER 06/07/2012 12:58:40.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2045.1348 [GMT 10:00]
Running from: c:\users\USER\Desktop\ComboFix.exe
Command switches used :: c:\users\USER\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
file zipped: c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hbxtfbyd.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\USER\AppData\Local\cujhubpm
c:\users\USER\AppData\Local\cujhubpm\hbxtfbyd.exZ
c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hbxtfbyd.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))
.
.
2012-07-06 03:02 . 2012-07-06 03:09 -------- d-----w- c:\users\USER\AppData\Local\temp
2012-07-06 03:02 . 2012-07-06 03:02 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2012-07-06 03:02 . 2012-07-06 03:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-05 15:18 . 2012-07-05 15:19 -------- d-----w- c:\program files\ERUNT
2012-07-04 12:45 . 2008-07-30 07:42 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
2012-07-04 05:22 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F7BDEAAA-F8E4-4513-A34E-69A86815D46A}\mpengine.dll
2012-06-30 10:46 . 2012-06-30 11:07 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-06-22 01:25 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-22 01:25 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-22 01:25 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-22 01:25 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-22 01:24 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-22 01:24 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-22 01:24 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-22 01:24 . 2012-06-02 05:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-22 01:24 . 2012-06-02 05:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-20 08:09 . 2012-06-20 08:09 -------- d-----w- c:\program files\Microsoft XNA
2012-06-20 08:09 . 2009-03-16 04:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2012-06-20 08:09 . 2009-03-16 04:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2012-06-20 08:09 . 2009-03-16 04:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2012-06-20 08:09 . 2009-03-16 04:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2012-06-20 08:09 . 2007-04-04 08:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2012-06-20 08:09 . 2007-03-12 06:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2012-06-20 08:09 . 2006-09-28 06:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2012-06-20 08:07 . 2012-06-20 08:07 -------- d-----w- c:\program files\Superfighters Deluxe
2012-06-19 10:09 . 2012-06-19 10:09 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-19 10:09 . 2012-06-19 10:09 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-14 07:58 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-06-14 07:58 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-14 07:58 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-14 07:24 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 07:24 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-19 10:09 . 2011-11-11 08:13 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-05-09 08:49 176936 ----a-w- c:\program files\Freecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-05-09 09:49 176936 ----a-w- c:\program files\uTorrentBar\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-23 10:20 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]
@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"
[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]
2007-04-20 01:40 118784 ----a-w- c:\program files\TrueSuite Access Manager\IconOvrly.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-02-06 137536]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"NDSTray.exe"="NDSTray.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-29 4911104]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-15 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"FingerPrintNotifer"="c:\program files\TrueSuite Access Manager\FpNotifier.exe" [2008-01-24 671744]
"UsbMonitor"="c:\program files\TrueSuite Access Manager\usbnotify.exe" [2007-06-05 94208]
"PwdBank"="c:\program files\TrueSuite Access Manager\PwdBank.exe" [2008-02-01 3150848]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-08-23 887976]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2011-03-24 167936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003Core.job
- c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-06 05:59]
.
2012-07-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003UA.job
- c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-06 05:59]
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003Core.job
- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 10:47]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003UA.job
- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 10:47]
.
2012-06-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - USER.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 02:09]
.
2012-07-05 c:\windows\Tasks\User_Feed_Synchronization-{F3431E30-F412-43CE-91E3-3CD359877F65}.job
- c:\windows\system32\msfeedssync.exe [2012-06-14 03:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.88.1
FF - ProfilePath - c:\users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\1qolu3le.default\
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(320)
c:\program files\TrueSuite Access Manager\IconOvrly.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Media Player\wmpnscfg.exe
.
**************************************************************************
.
Completion time: 2012-07-06 13:14:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-06 03:14
ComboFix2.txt 2012-07-06 02:21
.
Pre-Run: 13,502,423,040 bytes free
Post-Run: 13,271,773,184 bytes free
.
- - End Of File - - B4458361A748C3563EB63FA1AB6D1886
Upload was successful

here is the mbam scan.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.06.01

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.19272
USER :: USER-PC [administrator]

6/07/2012 1:19:58 PM
mbam-log-2012-07-06 (13-19-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216364
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


as for how is my system now, would you like me to reboot in normal mode and see if the pop-up still occurs or something ?