tysonboh

Need help getting rid of windows command processor/trojan azgreb

34 posts in this topic

ID: 1   Posted (edited)

Hi, last saturday, a pop up box appeared, wanting me to open something called windows command processor, i clicked no, then it instantly popped up again, and continued to do so, after a quick search i realised it was a virus, i followed some online instructions, doing things like downloading rkill and malwarebytes, and using both in safe mode to remove the virus, yet it has not removed it, the pop up keeps appearing when i boot in normal mode. so i came here for help. also take note that i have not accepted the pop up box once, i exit it everytime untill it goes down into the toolbar.

i ran the log things on the DDS program as well, here are the two logs.

any help would be greatly appreciated, as this is a major inconvience to me. thanks

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.19272 BrowserJavaVersion: 1.6.0_29

Run by USER at 22:23:36 on 2012-07-05

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\explorer.exe

C:\Windows\regedit.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Users\USER\Downloads\dds.scr

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.facebook.com/

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll

mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Complitly: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\users\user\appdata\roaming\complitly\Complitly.dll

BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll

BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll

BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

BHO: Complitly: {d27fc31c-6e3d-4305-8d53-acdaefa5f862} - c:\users\user\appdata\roaming\complitly\Complitly.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll

TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll

EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll

uRun: [TOSCDSPD] TOSCDSPD.EXE

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED

uRun: [Facebook Update] "c:\users\user\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [HbxTfbyd] c:\users\user\appdata\local\cujhubpm\hbxtfbyd.exe

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11e_Plugin.exe -update plugin

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

mRun: [NDSTray.exe] NDSTray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [skytel] Skytel.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"

mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe

mRun: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

mRun: [FingerPrintNotifer] "c:\program files\truesuite access manager\FpNotifier.exe"

mRun: [usbMonitor] "c:\program files\truesuite access manager\usbnotify.exe"

mRun: [PwdBank] "c:\program files\truesuite access manager\PwdBank.exe"

mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [<NO NAME>]

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run

mRunOnce: [GrpConv] grpconv -o

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: DisableCAD = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.88.1

TCP: Interfaces\{67546975-2D87-494D-AB3C-65D4D5547D83} : DhcpNameServer = 192.168.88.1

TCP: Interfaces\{9B623AC4-5DD2-4064-99A8-EBC993945FAC} : DhcpNameServer = 192.168.88.1

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\

FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\users\user\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll

FF - plugin: c:\users\user\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: c:\users\user\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\plugins\np-mswmp.dll

FF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\extensions\battlefieldheroespatcher@ea.com\plugins\npBFHUpdater.dll

.

============= SERVICES / DRIVERS ===============

.

R? Authentec memory manager;Authentec memory manager service

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86

R? ConfigFree Service;ConfigFree Service

R? EraserUtilRebootDrv;EraserUtilRebootDrv

R? FontCache;Windows Font Cache Service

R? IDSvix86;Symantec Intrusion Prevention Driver

R? massfilter;ZTE Mass Storage Filter Driver

R? MozillaMaintenance;Mozilla Maintenance Service

R? SBSDWSCService;SBSD Security Center Service

R? Symantec Core LC;Symantec Core LC

R? SYMNDISV;SYMNDISV

R? TOSHIBA SMART Log Service;TOSHIBA SMART Log Service

R? TrojanKillerDriver;GridinSoft Trojan Killer Driver

R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0

R? ZTEusbnet;ZTE USB-NDIS miniport

S? AlfaFF;AlfaFF mini-filter driver

S? FwLnk;FwLnk Driver

S? NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit

.

=============== Created Last 30 ================

.

2012-07-04 12:45:59 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys

2012-07-04 05:22:09 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f7bdeaaa-f8e4-4513-a34e-69a86815d46a}\mpengine.dll

2012-06-30 10:46:38 -------- d-----w- c:\program files\GridinSoft Trojan Killer

2012-06-30 05:00:24 93708 --s---w- c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exe

2012-06-22 01:25:24 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-22 01:24:37 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-22 01:24:25 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-22 01:24:25 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-20 08:09:42 -------- d-----w- c:\program files\Microsoft XNA

2012-06-20 08:09:25 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2012-06-20 08:09:25 517448 ----a-w- c:\windows\system32\XAudio2_4.dll

2012-06-20 08:09:24 235352 ----a-w- c:\windows\system32\xactengine3_4.dll

2012-06-20 08:09:24 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll

2012-06-20 08:09:22 81768 ----a-w- c:\windows\system32\xinput1_3.dll

2012-06-20 08:09:22 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll

2012-06-20 08:09:20 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll

2012-06-20 08:07:57 -------- d-----w- c:\program files\Superfighters Deluxe

2012-06-19 10:09:04 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll

2012-06-19 10:09:04 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll

2012-06-14 07:58:07 984064 ----a-w- c:\windows\system32\crypt32.dll

2012-06-14 07:58:06 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-14 07:58:06 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-14 07:24:12 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-14 07:24:10 2045440 ----a-w- c:\windows\system32\win32k.sys

.

==================== Find3M ====================

.

2012-05-15 06:37:49 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 06:32:25 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-05-15 06:32:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-15 06:31:44 109056 ----a-w- c:\windows\system32\iesysprep.dll

2012-05-15 06:31:43 71680 ----a-w- c:\windows\system32\iesetup.dll

2012-05-15 05:01:56 385024 ----a-w- c:\windows\system32\html.iec

2012-05-15 03:26:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-15 03:23:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2012-04-24 11:50:49 737280 ----a-w- c:\windows\iun6002.exe

.

============= FINISH: 22:24:52.84 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 9/09/2011 10:17:24 AM

System Uptime: 5/07/2012 10:05:16 PM (0 hours ago)

.

Motherboard: Intel Corp. | | Base Board Product Name

Processor: Intel® Core™2 Duo CPU T5750 @ 2.00GHz | CPU | 2120/667mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 179 GiB total, 13.358 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Microsoft Tun Miniport Adapter

Device ID: ROOT\*TUNMP\0001

Manufacturer: Microsoft

Name: Teredo Tunneling Pseudo-Interface

PNP Device ID: ROOT\*TUNMP\0001

Service: tunmp

.

==== System Restore Points ===================

.

.

==== Installed Programs ======================

.

.

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 8.1.0

Adobe Shockwave Player 11.6

AppCore

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Ask Toolbar

ATI Catalyst Install Manager

µTorrent

Audacity 2.0

AV

AviSynth 2.5

Battlefield Heroes

Bluetooth Stack for Windows by Toshiba

Bonjour

Camera Assistant Software for Toshiba

Canon Easy-WebPrint EX

Canon Inkjet Printer/Scanner/Fax Extended Survey Program

Canon MOV Decoder

Canon MOV Encoder

Canon MovieEdit Task for ZoomBrowser EX

Canon MP Navigator EX 3.0

Canon MP270 series MP Drivers

Canon Utilities Digital Photo Professional 3.10

Canon Utilities Easy-PhotoPrint EX

Canon Utilities EOS Utility

Canon Utilities EOS Video Snapshot Task for ZoomBrowser EX

Canon Utilities Movie Uploader for YouTube

Canon Utilities My Printer

Canon Utilities PhotoStitch

Canon Utilities Picture Style Editor

Canon Utilities Solution Menu

Canon Utilities ZoomBrowser EX

Canon ZoomBrowser EX Memory Card Utility

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Vista

Catalyst Control Center Localization Chinese Standard

Catalyst Control Center Localization Chinese Traditional

Catalyst Control Center Localization Dutch

Catalyst Control Center Localization French

Catalyst Control Center Localization German

Catalyst Control Center Localization Italian

Catalyst Control Center Localization Japanese

Catalyst Control Center Localization Korean

Catalyst Control Center Localization Portuguese

Catalyst Control Center Localization Spanish

Catalyst Control Center Localization Swedish

ccc-core-static

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Dutch

CCC Help English

CCC Help French

CCC Help German

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Portuguese

CCC Help Spanish

CCC Help Swedish

ccCommon

CD/DVD Drive Acoustic Silencer

CDisplay 1.8

Celtx (2.9.1)

Comical 0.8

ComicRack v0.9.153

Complitly

DVD MovieFactory for TOSHIBA

Facebook Video Calling 1.2.0.159

FM Tuner Utility

Freecorder 2.3 (with Skype Call Recording)

Freecorder 5

Freecorder Toolbar

Google Chrome

HandBrake 0.9.6

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Intel® Matrix Storage Manager

iTunes

Java Auto Updater

Java™ 6 Update 29

Java™ 6 Update 3

LiveUpdate 3.2 (Symantec Corporation)

LiveUpdate Notice (Symantec Corporation)

Malwarebytes Anti-Malware version 1.61.0.1400

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Office Standard Edition 2003

Microsoft SQL Server Native Client

Microsoft SQL Server Setup Support Files (English)

Microsoft SQL Server VSS Writer

Microsoft Visual C++ 2005 Redistributable

Microsoft XML Parser

Microsoft XNA Framework Redistributable 3.1

Mozilla Firefox 13.0.1 (x86 en-US)

Mozilla Maintenance Service

MSRedist

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Norton AntiVirus

Norton Confidential Browser Component

Norton Confidential Web Protection Component

Norton Internet Security

Norton Internet Security (Symantec Corporation)

Norton Protection Center

Pando Media Booster

PunkBuster Services

QuickTime

Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista

Realtek High Definition Audio Driver

RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Windows Media Encoder (KB2447961)

Skins

SPBBC 32bit

Spybot - Search & Destroy

Superfighters Deluxe Pre-Alpha

swMSM

Symantec Real Time Storage Protection Component

SymNet

Synaptics Pointing Device Driver

TOSHIBA Assist

TOSHIBA ConfigFree

TOSHIBA Disc Creator

TOSHIBA DVD PLAYER

TOSHIBA Extended Tiles for Windows Mobility Center

TOSHIBA Face Recognition

TOSHIBA Hardware Setup

TOSHIBA Recovery Disc Creator

TOSHIBA SD Memory Utilities

TOSHIBA Speech System Applications

TOSHIBA Speech System SR Engine(U.S.) Version1.0

TOSHIBA Speech System TTS Engine(U.S.) Version1.0

TOSHIBA Supervisor Password

TOSHIBA Value Added Package

Trojan Killer

TrueSuite Access Manager

Unity Web Player

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

uTorrentBar Toolbar

VLC media player 2.0.1

Windows Driver Package - Cmotech (cmusbnet) Net (06/11/2007 2.0.0.9)

Windows Driver Package - Cmotech Modem (12/13/2006 2.0.3.5)

Windows Driver Package - Cmotech Ports (12/13/2006 2.0.3.5)

Windows Media Encoder 9 Series

.

==== Event Viewer Messages From Past Week ========

.

5/07/2012 10:07:57 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

5/07/2012 10:07:18 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl SPBBCDrv spldr SRTSPX SYMTDI Wanarpv6

5/07/2012 10:07:18 PM, Error: Service Control Manager [7001] - The Windows Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

5/07/2012 10:07:18 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

5/07/2012 10:06:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

5/07/2012 10:06:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

5/07/2012 10:06:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

5/07/2012 10:06:21 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

5/07/2012 10:06:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

5/07/2012 10:05:57 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .

5/07/2012 10:05:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}

4/07/2012 3:50:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

.

==== End Of File ===========================

Edited by Maurice Naggar
Logs In-line

Share this post


Link to post
Share on other sites

Hello tysonboh,

Going forward, do NOT attach log/reports. Always Copy & Paste contents into main-body of reply-box !

Tell me if you have a current license for Norton/Symantec, or whether this pc used to have a trial version of some Symantec app ??

Please follow my guidance.

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller

Share this post


Link to post
Share on other sites

P.S.

Your logs showed some peer-to-peer filesharing apps: uTorrent. I do not recommend the use of P-2-P programs since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

De-install (remove) uTorrent and any other peer-to-peer app AND confirm doing so.

I would also recommend the removal of the ASK toolbar.

All of this is just a starter. There's a whole lot of things to follow.

Do NOT do any websurfing, NO online banking, NO online transactions.

Just only go to this forum and the websites I guide you to.

Share this post


Link to post
Share on other sites

yes i did have norton antivirus, which has recently expired and i was yet to renew my subscription.

also here is the log from the recently asked scan.

RogueKiller V7.6.2 [07/02/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Safe mode with network support

User: USER [Admin rights]

Mode: Scan -- Date: 07/05/2012 23:40:19

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-862659715-177543783-37968287-1003[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHY2200BH +++++

--- User ---

[MBR] 7df079e97d313bc9037b9c8b17b36d9c

[bSP] 59cdd0f62e430d3ee99792baf5e868e5 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 182987 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 377831424 | Size: 6286 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Share this post


Link to post
Share on other sites

also i uninstalled utorrent, yet was unable to uninstall the ask toolbar

Share this post


Link to post
Share on other sites

also, whilst doing all of this, would you like me to stay in safe mode with networking? its what im in at the moment.

Share this post


Link to post
Share on other sites

For the time being, Safe Mode with Networking is ok. Please try to do the following ....if possible.... and then post and await my next reply.

Use your browser to go here at Virustotal website

Click the Choose File button and then navigate to C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe, then click the Scan it button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

==

Use your browser to go here at VirSCAN.org website

Click the Browse button and then navigate to C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe, then click the Upload button.

Save the results, and post back here in a reply.

Share this post


Link to post
Share on other sites

nothing happened when i clicked on the browse or choose file buttons on both websites, using firefox, but then i switched to internet explorer and it worked, the results from the first website were

File already analysed

This file was already analysed by VirusTotal on 2012-06-30 01:17:27.

Detection ratio: 3/42

You can take a look at the last analysis or analyse it again now.

i then clicked to look at the last analysis and it said

SHA256: 4c88fa0048c8ab984c6a8ec730b11332cafcb5d9d5805772aba6d22fb1cd6cf1 SHA1: f1816ff44af8796ebfa1addc391b4554d9d45eed MD5: 98ec79dd327cba948331972d5d69ea8a File size: 91.5 KB ( 93708 bytes ) File name: 00ED56ED0C8ACB406ED701A8D72FB900F260307A.exe File type: Win32 EXE Detection ratio: 3 / 42 Analysis date:

2012-06-30 01:17:27 UTC ( 5 days, 12 hours ago )

then i did the scan on the second website and these were the results

VirSCAN.org Scanned Report :

Scanned time : 2012/07/06 00:09:02 (EST)

Scanner results: 28% Scanner(s) (10/36) found malware!

File Name : hbxtfbyd.exe

File Size : 93708 byte

File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : 98ec79dd327cba948331972d5d69ea8a

SHA1 : f1816ff44af8796ebfa1addc391b4554d9d45eed

Online report : http://r.virscan.org/0056c89a479de0644ce16b58c1d26363

Scanner Engine Ver Sig Ver Sig Date Time Scan result

a-squared 5.1.0.4 20120705120340 2012-07-05 9.62 Backdoor.Win32.Azbreg!IK

AhnLab V3 ... .. -- 0.44 -

AntiVir 8.2.10.80 7.11.32.106 2012-06-09 0.17 -

Antiy 2.0.18 2.0.18. 0002-18-00 0.27 -

Arcavir 2011 201206041805 2012-06-04 4.47 -

Authentium 5.1.1 201207050736 2012-07-05 1.77 -

AVAST! 4.7.4 120704-1 2012-07-04 0.21 Win32:Rootkit-gen [Rtk]

AVG 12.0.1787 2437/5112 2012-07-05 0.44 BackDoor.Generic15.BGUU

BitDefender 7.90123.7.90123 7.90123 2012-07-05 0.17 -

ClamAV 0.97.3 15110 2012-07-05 0.26 -

Comodo 5.1 12837 2012-07-05 2.83 -

CP Secure 1.3.0.5 2012.07.05 2012-07-05 0.50 -

Dr.Web 7.0.2.4281 2012.07.03 2012-07-03 13.03 -

F-Prot 4.6.2.117 20120702 2012-07-02 1.07 -

F-Secure 7.02.73807 2012.07.05.01 2012-07-05 0.22 -

Fortinet 4.3.392 15.797 2012-07-04 0.22 W32/Azbreg.ARX!tr.bdr

GData 22.5501 20120705 2012-07-05 5.34 -

ViRobot 20120704 2012.07.04 2012-07-04 0.40 -

Ikarus T3.1.32.20.0 2012.07.05.81674 2012-07-05 5.99 Backdoor.Win32.Azbreg

JiangMin 13.0.900 2012.07.04 2012-07-04 2.17 -

Kaspersky 5.5.10 2012.07.01 2012-07-01 0.25 Backdoor.Win32.Azbreg.arx

KingSoft 2009.2.5.15 2012.7.5.9 2012-07-05 0.88 -

McAfee 5400.1158 6762 2012-07-04 8.63 Generic.dx!b2x4

Microsoft 1.8502 2012.07.05 2012-07-05 4.15 -

NOD32 3.0.21 7273 2012-07-05 0.17 Win32/Ramnit.A virus

Panda 9.05.01 2012.07.05 2012-07-05 5.01 -

Trend Micro 9.500-1005 9.236.02 2012-07-04 0.22 -

Quick Heal 11.00 2012.07.04 2012-07-04 1.20 Backdoor.Azbreg.arx

Rising 20.0 24.17.01.03 2012-07-03 2.92 -

Sophos 3.32.0 4.78 2012-07-05 5.39 -

Sunbelt 3.9.2540.2 12173 2012-07-04 0.97 Trojan.Win32.Generic!BT

Symantec 1.3.0.24 20120704.002 2012-07-04 0.43 -

nProtect 20120704.01 11565106 2012-07-04 1.34 -

The Hacker 6.8.0.0 v00050 2012-07-04 0.71 -

VBA32 3.12.18.0 20120705.0834 2012-07-05 4.04 -

VirusBuster 5.5.1.3 15.0.85.0/9045113 2012-07-05 0.23 -

Share this post


Link to post
Share on other sites

Good thinking on the usage of IE browser <w>

This system has what appears to be a backdoor trojan infection. This likely can be cleaned up. BUT "if" it has a Ramnit virus infection, those are not cureable !

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh. While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions. You may "want to consider" a full reformat and reinstall of Windows rather than clean the system.

Let me know what you decide !

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx

Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx

Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

Share this post


Link to post
Share on other sites

okay, well i guess i would first like to try and clean up this virus if possible, this isnt really a computer used for any online bankings etc, the only thing close to that is the occasional ebay purchase which i havent done in a while (long before getting the virus). its mainly a recreational use kind of computer for surfing the internet etc.

so what options do i really have? it would be good to just be able to try and clean the virus up and i might get some of the main things off the computer that i want, then maybe reset it from there. but also i have not accepted that pop up once, does that make any difference to the case? the pop-up is the only thing that occurs which i cancel everytime, nothing else happens.

Share this post


Link to post
Share on other sites

Reposting this since the one just earlier has an alignment issue !!

I'll proceed to squash this malware, if you will follow my guide. Just by the way, anytime you have a "rogue" and when it is in the foreground, press ALT & hold & then F4 key on keyboard. Just do not click any "buttons" on the rogue-window itself.

Not a show-stopper. Run this script and then let it finish. If it does finish without a hitch, I need for you to run a new (fresh) DDS & post just the DDS.txt (Copy & Paste).

I will have more for you afterwards.

We Need to Run a Batch Script

  • Press the Windows-key on keyboard.
  • In the 10-16-2011%204-33-46%20PM.png box, type notepad and press Enter.
  • Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.
    sc stop HbxTfbyd
    sc delete HbxTfbyd
    attrib -s c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exe
    ren c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exe hbxtfbyd.exx
    attrib -s C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe
    ren C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe hbxtfbyd.exZ
    del /f /q "%~f0"


  • Select File -> Save AS.
  • Press the Desktop button on the left side of the save dialog.
  • In the 10-16-2011%204-37-58%20PM.png box, type in Fix.bat.
  • Press 10-16-2011%204-36-39%20PM.png.
  • Close Notepad.
  • Right click 10-16-2011%204-34-34%20PM.png on your desktop, and choose 10-16-2011%204-40-48%20PM.png.
  • Press Yes if prompted by User Account Control.

Share this post


Link to post
Share on other sites

everything went well, heres the DDS

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.19272 BrowserJavaVersion: 1.6.0_29

Run by USER at 1:03:40 on 2012-07-06

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2045.1432 [GMT 10:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\Explorer.EXE

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.facebook.com/

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll

mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Complitly: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\users\user\appdata\roaming\complitly\Complitly.dll

BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll

BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll

BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

BHO: Complitly: {d27fc31c-6e3d-4305-8d53-acdaefa5f862} - c:\users\user\appdata\roaming\complitly\Complitly.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll

TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll

EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll

uRun: [TOSCDSPD] TOSCDSPD.EXE

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED

uRun: [Facebook Update] "c:\users\user\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [HbxTfbyd] c:\users\user\appdata\local\cujhubpm\hbxtfbyd.exe

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

mRun: [NDSTray.exe] NDSTray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [skytel] Skytel.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"

mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe

mRun: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

mRun: [FingerPrintNotifer] "c:\program files\truesuite access manager\FpNotifier.exe"

mRun: [usbMonitor] "c:\program files\truesuite access manager\usbnotify.exe"

mRun: [PwdBank] "c:\program files\truesuite access manager\PwdBank.exe"

mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [<NO NAME>]

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run

StartupFolder: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: DisableCAD = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.88.1

TCP: Interfaces\{67546975-2D87-494D-AB3C-65D4D5547D83} : DhcpNameServer = 192.168.88.1

TCP: Interfaces\{9B623AC4-5DD2-4064-99A8-EBC993945FAC} : DhcpNameServer = 192.168.88.1

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\

FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\users\user\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll

FF - plugin: c:\users\user\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: c:\users\user\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\plugins\np-mswmp.dll

FF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\extensions\battlefieldheroespatcher@ea.com\plugins\npBFHUpdater.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AlfaFF;AlfaFF mini-filter driver;c:\windows\system32\drivers\AlfaFF.sys [2011-9-8 43440]

R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-2-12 7168]

R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]

S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20111208.001\IDSvix86.sys [2011-12-9 287792]

S2 Authentec memory manager;Authentec memory manager service;c:\windows\system32\TAMSvr.exe [2011-9-8 49152]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-26 40960]

S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-9-9 1153368]

S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-10 106104]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-26 113120]

S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2011-9-13 1251720]

S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-8-3 38448]

S3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\drivers\gtkdrv.sys [2012-1-5 16128]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-07-05 13:21:11 -------- d-----w- c:\users\user\appdata\local\cujhubpm

2012-07-04 12:45:59 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys

2012-07-04 05:22:09 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f7bdeaaa-f8e4-4513-a34e-69a86815d46a}\mpengine.dll

2012-06-30 10:46:38 -------- d-----w- c:\program files\GridinSoft Trojan Killer

2012-06-30 05:00:24 93708 --s---w- c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exe

2012-06-22 01:25:24 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-22 01:24:37 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-22 01:24:25 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-22 01:24:25 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-20 08:09:42 -------- d-----w- c:\program files\Microsoft XNA

2012-06-20 08:09:25 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2012-06-20 08:09:25 517448 ----a-w- c:\windows\system32\XAudio2_4.dll

2012-06-20 08:09:24 235352 ----a-w- c:\windows\system32\xactengine3_4.dll

2012-06-20 08:09:24 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll

2012-06-20 08:09:22 81768 ----a-w- c:\windows\system32\xinput1_3.dll

2012-06-20 08:09:22 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll

2012-06-20 08:09:20 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll

2012-06-20 08:07:57 -------- d-----w- c:\program files\Superfighters Deluxe

2012-06-19 10:09:04 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll

2012-06-19 10:09:04 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll

2012-06-14 07:58:07 984064 ----a-w- c:\windows\system32\crypt32.dll

2012-06-14 07:58:06 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-14 07:58:06 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-14 07:24:12 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-14 07:24:10 2045440 ----a-w- c:\windows\system32\win32k.sys

.

==================== Find3M ====================

.

2012-05-15 06:37:49 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 06:32:25 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-05-15 06:32:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-15 06:31:44 109056 ----a-w- c:\windows\system32\iesysprep.dll

2012-05-15 06:31:43 71680 ----a-w- c:\windows\system32\iesetup.dll

2012-05-15 05:01:56 385024 ----a-w- c:\windows\system32\html.iec

2012-05-15 03:26:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-15 03:23:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2012-04-24 11:50:49 737280 ----a-w- c:\windows\iun6002.exe

.

============= FINISH: 1:04:49.55 ===============

Share this post


Link to post
Share on other sites

ID: 13   Posted (edited)

We can stay in Safe Mode with Networking for a while. I'll have you restart into Normal mode at some point, soon.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT by doing a Right-Click on it & select Run As Admisnistrator

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Step 3

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste this MBAM scan log in a reply.

Now proceed to next step.

Step 4

  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • Start ROGUEKILLER:
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller

Copy and Paste RKReport2 into a new reply.

and proceed to next step.

Step 5

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member tysonboh only. If you are a casual viewer, do NOT try this on your system!

If you are not tysonboh and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop cf-icon.jpg and select "Run as Administrator".

  • A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.

Note:

Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

Reply with a copy of the C:\Combofix.txt log

Re-enable your antivirus app.

Edited by Maurice Naggar

Share this post


Link to post
Share on other sites

i am unable to do step 2, there are no menus/above toolbar

Share this post


Link to post
Share on other sites

Press the ALT key to see menu options in Windows Explorer. Then try.

If get stuck, move on to next step

Share this post


Link to post
Share on other sites

here is the scan from mbam, there were no infections found though.

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.07.05.05

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)

Internet Explorer 8.0.6001.19272

USER :: USER-PC [administrator]

6/07/2012 1:30:59 AM

mbam-log-2012-07-06 (01-30-59).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 213855

Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

heres the roguekiller scan

RogueKiller V7.6.2 [07/02/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Safe mode with network support

User: USER [Admin rights]

Mode: Scan -- Date: 07/06/2012 01:38:10

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-862659715-177543783-37968287-1003[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHY2200BH +++++

--- User ---

[MBR] 7df079e97d313bc9037b9c8b17b36d9c

[bSP] 59cdd0f62e430d3ee99792baf5e868e5 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 182987 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 377831424 | Size: 6286 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

now as for step 5, as it may take a while, and its 1.45 in the morning here, im just going to turn off my computer right now and go to sleep and continue this in the morning, thanks for the help so far, but ill have to get back to this tomorrow.

Share this post


Link to post
Share on other sites

okay so here is the mbam log

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.07.05.05

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)

Internet Explorer 8.0.6001.19272

USER :: USER-PC [administrator]

6/07/2012 12:00:22 PM

mbam-log-2012-07-06 (12-00-22).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 213789

Time elapsed: 4 minute(s), 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

the roguekiller log

RogueKiller V7.6.2 [07/02/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Safe mode with network support

User: USER [Admin rights]

Mode: Scan -- Date: 07/06/2012 12:06:04

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-862659715-177543783-37968287-1003[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHY2200BH +++++

--- User ---

[MBR] 7df079e97d313bc9037b9c8b17b36d9c

[bSP] 59cdd0f62e430d3ee99792baf5e868e5 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 182987 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 377831424 | Size: 6286 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

and the combofix log

ComboFix 12-07-05.04 - USER 06/07/2012 12:12:49.1.2 - x86 NETWORK

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2045.1529 [GMT 10:00]

Running from: c:\users\USER\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\Complitly

c:\program files\Complitly\chrome\ComplitlyChrome.crx

c:\program files\Complitly\FireFoxExtension.exe

c:\program files\Complitly\InstTracker.exe

c:\program files\Complitly\support@Complitly.com\chrome.manifest

c:\program files\Complitly\support@Complitly.com\chrome\content\appIcon.png

c:\program files\Complitly\support@Complitly.com\chrome\content\browserOverlay.xul

c:\program files\Complitly\support@Complitly.com\chrome\content\options.js

c:\program files\Complitly\support@Complitly.com\chrome\content\options.xul

c:\program files\Complitly\support@Complitly.com\chrome\content\utils.js

c:\program files\Complitly\support@Complitly.com\defaults\preferences\predictad.js

c:\program files\Complitly\support@Complitly.com\install.rdf

c:\program files\Complitly\unins000.dat

c:\program files\Complitly\unins000.exe

c:\users\USER\AppData\Local\bclcobqq.log

c:\users\USER\AppData\Local\hqynaqbm.log

c:\users\USER\AppData\Local\ihgbsnfm.log

c:\users\USER\AppData\Local\nsxrwhop.log

c:\users\USER\AppData\Local\qlvjivut.log

c:\users\USER\AppData\Local\uqqnymdj.log

c:\users\USER\AppData\Local\vcqldfng.log

c:\users\USER\AppData\Roaming\Love

c:\users\USER\AppData\Roaming\Love\mari0\options.txt

c:\users\USER\AppData\Roaming\Love\not_tetris_2\highscoresA.txt

c:\users\USER\AppData\Roaming\Love\not_tetris_2\highscoresB.txt

c:\users\USER\AppData\Roaming\Love\not_tetris_2\options.txt

c:\windows\iun6002.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))

.

.

2012-07-05 15:18 . 2012-07-05 15:19 -------- d-----w- c:\program files\ERUNT

2012-07-05 13:21 . 2012-07-05 15:02 -------- d-----w- c:\users\USER\AppData\Local\cujhubpm

2012-07-04 12:45 . 2008-07-30 07:42 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys

2012-07-04 05:22 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F7BDEAAA-F8E4-4513-A34E-69A86815D46A}\mpengine.dll

2012-06-30 10:46 . 2012-06-30 11:07 -------- d-----w- c:\program files\GridinSoft Trojan Killer

2012-06-30 05:00 . 2012-06-30 05:00 93708 --s---w- c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hbxtfbyd.exe

2012-06-22 01:25 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-22 01:25 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-22 01:25 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-22 01:25 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-22 01:24 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-22 01:24 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-22 01:24 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-22 01:24 . 2012-06-02 05:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-22 01:24 . 2012-06-02 05:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-20 08:09 . 2012-06-20 08:09 -------- d-----w- c:\program files\Microsoft XNA

2012-06-20 08:09 . 2009-03-16 04:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2012-06-20 08:09 . 2009-03-16 04:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll

2012-06-20 08:09 . 2009-03-16 04:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll

2012-06-20 08:09 . 2009-03-16 04:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll

2012-06-20 08:09 . 2007-04-04 08:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll

2012-06-20 08:09 . 2007-03-12 06:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll

2012-06-20 08:09 . 2006-09-28 06:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll

2012-06-20 08:07 . 2012-06-20 08:07 -------- d-----w- c:\program files\Superfighters Deluxe

2012-06-19 10:09 . 2012-06-19 10:09 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll

2012-06-19 10:09 . 2012-06-19 10:09 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll

2012-06-14 07:58 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll

2012-06-14 07:58 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-14 07:58 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-14 07:24 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-14 07:24 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-19 10:09 . 2011-11-11 08:13 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]

"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

2011-05-09 08:49 176936 ----a-w- c:\program files\Freecorder\prxtbFre0.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

2011-05-09 09:49 176936 ----a-w- c:\program files\uTorrentBar\prxtbuTor.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2011-08-23 10:20 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688]

"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]

"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]

@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"

[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]

2007-04-20 01:40 118784 ----a-w- c:\program files\TrueSuite Access Manager\IconOvrly.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Facebook Update"="c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-02-06 137536]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]

"NDSTray.exe"="NDSTray.exe" [bU]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]

"RtHDVCpl"="RtHDVCpl.exe" [2008-01-29 4911104]

"Skytel"="Skytel.exe" [2007-11-20 1826816]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]

"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]

"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]

"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-15 448080]

"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]

"FingerPrintNotifer"="c:\program files\TrueSuite Access Manager\FpNotifier.exe" [2008-01-24 671744]

"UsbMonitor"="c:\program files\TrueSuite Access Manager\usbnotify.exe" [2007-06-05 94208]

"PwdBank"="c:\program files\TrueSuite Access Manager\PwdBank.exe" [2008-02-01 3150848]

"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]

"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-08-23 887976]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]

"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2011-03-24 167936]

.

c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

hbxtfbyd.exe [2012-6-30 93708]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

"DisableCAD"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - COMHOST

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003Core.job

- c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-06 05:59]

.

2012-07-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003UA.job

- c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-06 05:59]

.

2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003Core.job

- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 10:47]

.

2012-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003UA.job

- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 10:47]

.

2012-06-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - USER.job

- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 02:09]

.

2012-07-05 c:\windows\Tasks\User_Feed_Synchronization-{F3431E30-F412-43CE-91E3-3CD359877F65}.job

- c:\windows\system32\msfeedssync.exe [2012-06-14 03:24]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.facebook.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.88.1

FF - ProfilePath - c:\users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\1qolu3le.default\

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-TOSCDSPD - TOSCDSPD.EXE

HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe

HKCU-Run-HbxTfbyd - c:\users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe

AddRemove-Freecorder_1.0 - c:\windows\iun6002.exe

AddRemove-{4FFBB818-B13C-11E0-931D-B2664824019B}_is1 - c:\program files\Complitly\unins000.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-07-06 12:18

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(1928)

c:\program files\TrueSuite Access Manager\IconOvrly.dll

.

Completion time: 2012-07-06 12:21:36

ComboFix-quarantined-files.txt 2012-07-06 02:21

.

Pre-Run: 13,369,495,552 bytes free

Post-Run: 13,484,347,392 bytes free

.

- - End Of File - - E54F07FAB8D43002BAE4302CF457585B

Share this post


Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for offline reference!

I am going to have you get a fresh copy of Combofix, save it first, and then run a special script.

There's still some stubborn malware laying about.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=112037
KILLALL::

Collect::[4]
c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hbxtfbyd.exe

Driver::
HbxTfbyd

Folder::
c:\users\USER\AppData\Local\cujhubpm

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 3

Reply with the latest C:\Combofix.txt

and the latest MBAM scan log

and tell me, How is your system now ?

Share this post


Link to post
Share on other sites

okay so i did the combofix thing, and after it was done it must have restarted the computer, but it restarted in normal mode, in normal mode these blue combofix boxes kept flashing up all over the screen, after waiting a while i realised this wasnt right, turned it off and opened it again in safe mode with networking. combofix was up again but working properly and it finished its thing. heres the log

ComboFix 12-07-05.04 - USER 06/07/2012 12:58:40.1.2 - x86 NETWORK

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2045.1348 [GMT 10:00]

Running from: c:\users\USER\Desktop\ComboFix.exe

Command switches used :: c:\users\USER\Desktop\CFScript.txt

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

file zipped: c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hbxtfbyd.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\USER\AppData\Local\cujhubpm

c:\users\USER\AppData\Local\cujhubpm\hbxtfbyd.exZ

c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hbxtfbyd.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))

.

.

2012-07-06 03:02 . 2012-07-06 03:09 -------- d-----w- c:\users\USER\AppData\Local\temp

2012-07-06 03:02 . 2012-07-06 03:02 -------- d-----w- c:\users\Mcx1\AppData\Local\temp

2012-07-06 03:02 . 2012-07-06 03:02 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-05 15:18 . 2012-07-05 15:19 -------- d-----w- c:\program files\ERUNT

2012-07-04 12:45 . 2008-07-30 07:42 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys

2012-07-04 05:22 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F7BDEAAA-F8E4-4513-A34E-69A86815D46A}\mpengine.dll

2012-06-30 10:46 . 2012-06-30 11:07 -------- d-----w- c:\program files\GridinSoft Trojan Killer

2012-06-22 01:25 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-22 01:25 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-22 01:25 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-22 01:25 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-22 01:24 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-22 01:24 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-22 01:24 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-22 01:24 . 2012-06-02 05:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-22 01:24 . 2012-06-02 05:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-20 08:09 . 2012-06-20 08:09 -------- d-----w- c:\program files\Microsoft XNA

2012-06-20 08:09 . 2009-03-16 04:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2012-06-20 08:09 . 2009-03-16 04:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll

2012-06-20 08:09 . 2009-03-16 04:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll

2012-06-20 08:09 . 2009-03-16 04:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll

2012-06-20 08:09 . 2007-04-04 08:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll

2012-06-20 08:09 . 2007-03-12 06:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll

2012-06-20 08:09 . 2006-09-28 06:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll

2012-06-20 08:07 . 2012-06-20 08:07 -------- d-----w- c:\program files\Superfighters Deluxe

2012-06-19 10:09 . 2012-06-19 10:09 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll

2012-06-19 10:09 . 2012-06-19 10:09 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll

2012-06-14 07:58 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll

2012-06-14 07:58 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-14 07:58 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-14 07:24 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-14 07:24 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-19 10:09 . 2011-11-11 08:13 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]

"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

2011-05-09 08:49 176936 ----a-w- c:\program files\Freecorder\prxtbFre0.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

2011-05-09 09:49 176936 ----a-w- c:\program files\uTorrentBar\prxtbuTor.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2011-08-23 10:20 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688]

"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]

"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]

@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"

[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]

2007-04-20 01:40 118784 ----a-w- c:\program files\TrueSuite Access Manager\IconOvrly.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Facebook Update"="c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-02-06 137536]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]

"NDSTray.exe"="NDSTray.exe" [bU]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]

"RtHDVCpl"="RtHDVCpl.exe" [2008-01-29 4911104]

"Skytel"="Skytel.exe" [2007-11-20 1826816]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]

"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]

"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]

"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-15 448080]

"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]

"FingerPrintNotifer"="c:\program files\TrueSuite Access Manager\FpNotifier.exe" [2008-01-24 671744]

"UsbMonitor"="c:\program files\TrueSuite Access Manager\usbnotify.exe" [2007-06-05 94208]

"PwdBank"="c:\program files\TrueSuite Access Manager\PwdBank.exe" [2008-02-01 3150848]

"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]

"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-08-23 887976]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]

"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2011-03-24 167936]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

"DisableCAD"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - COMHOST

*NewlyCreated* - ECACHE

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003Core.job

- c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-06 05:59]

.

2012-07-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003UA.job

- c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-06 05:59]

.

2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003Core.job

- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 10:47]

.

2012-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003UA.job

- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 10:47]

.

2012-06-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - USER.job

- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 02:09]

.

2012-07-05 c:\windows\Tasks\User_Feed_Synchronization-{F3431E30-F412-43CE-91E3-3CD359877F65}.job

- c:\windows\system32\msfeedssync.exe [2012-06-14 03:24]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.facebook.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.88.1

FF - ProfilePath - c:\users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\1qolu3le.default\

.

.

**************************************************************************

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(320)

c:\program files\TrueSuite Access Manager\IconOvrly.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Windows Media Player\wmpnscfg.exe

.

**************************************************************************

.

Completion time: 2012-07-06 13:14:52 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-06 03:14

ComboFix2.txt 2012-07-06 02:21

.

Pre-Run: 13,502,423,040 bytes free

Post-Run: 13,271,773,184 bytes free

.

- - End Of File - - B4458361A748C3563EB63FA1AB6D1886

Upload was successful

here is the mbam scan.

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.07.06.01

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)

Internet Explorer 8.0.6001.19272

USER :: USER-PC [administrator]

6/07/2012 1:19:58 PM

mbam-log-2012-07-06 (13-19-58).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 216364

Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

as for how is my system now, would you like me to reboot in normal mode and see if the pop-up still occurs or something ?

Share this post


Link to post
Share on other sites

okay so i went ahead a restarted the system in normal mode, no pop up so far. and really the pop up was the only thing showing me that i had the virus, there were no other problems occuring on my computer, so basically its running the exact same way, minus the pop-up.

Share this post


Link to post
Share on other sites

ID: 22   Posted (edited)

Yes, you should be in Normal mode of Windows.

now, you had said

okay so i did the combofix thing, and after it was done it must have restarted the computer, but it restarted in normal mode, in normal mode these blue combofix boxes kept flashing up all over the screen, after waiting a while i realised this wasnt right, turned it off and opened it again in safe mode with networking. combofix was up again but working properly and it finished its thing. heres the log

I hope you never again have an occasion to need to run Combofix......but, you should be made very aware of this....

Combofix does a lot of work. and unless your Helper tells you otherwise, you should always allow it to restart on it's own and on it's own get back to Windows.

It appears things are back to "normal"....meaning the rogue "command processor" trojan is gone.

I believe much, much earlier you said your Norton license had expired. If still true, I would recommend you remove Norton antivirus and get either MS Security Essentials or Avira antivirus.

Two good antivirus programs free for non-commercial home use are Avira Free Antivirus and Microsoft Security Essentials

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

I would suggest you get either MSE or Avira.

The sequence to use when switching antivirus is this:

1) Download AND SAVE the setup program of the new antivirus. (Have it handy).

2) Disconnect pc from internet

3) De-install the old antivirus (in your case with XP, use the Add-or-Remove program & then locate it & un-install (remove)

4) Make sure to Logoff and Restart Windows fresh.

5) Run setup of new antivirus

6) Logoff and Restart fresh

7) Reconnect to internet

7) start the new A-V, and do an Update run (to make sure it is all current)

Watch your system closely for another 24 hours.

Do not disappear, but return tomorrow to give me a new update; plus I need to convey to you the cleanup procedure.

Edited by Maurice Naggar

Share this post


Link to post
Share on other sites

okay, ive uninstalled norton, put microsoft security essentials on and completely updated it, and now its doing a full scan, so far its taken about 3 hours and still going.

so am i now able to use my computer for browsing still? or would it still be unsafe to log into websites i want to use etc.

Share this post


Link to post
Share on other sites

After the scan finsihes, I highly recommend you get & apply the mvp hosts (below). After that, you may visit & browse but always be very careful to not be real quick to click links to unknown sites or questionable links.

Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm

Steps to follow for the MVP Hosts file:

1) Download and SAVE the zip file to a temporary folder

2) Unzip (extract the contents) in the same folder

3) Temporarily disable your antivirus program. Some antivirus apps will block changes to the Hosts file; so turn it off.

4) After extract is complete, run mvps.bat batch file. This copies your pre-existing Hosts file to Hosts.mvp in the folder where Windows' Hosts resides

typically, C:\WINDOWS\system32\drivers\etc

and after that copy is saved, it replaces the old Hosts with the new one.

And you should see (in the blue background command window) the following:

_________________________________________________

¦ +---+¦

¦ THE MVPS HOSTS FILE IS NOW UPDATED ¦ v ¦¦

¦ +---+¦

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Previous version saved and renamed to HOSTS.MVP

Press any key to continue . . .

Find the folder where you saved the original download. Delete hosts.zip and a file folder there named hosts

The latter is the same folder that had mvps.bat

5) Re-enable your antivirus app.

The MVP Hosts file is updated from time to time. See http://msmvps.com/blogs/hostsnews

for information. And you can also sign-up for email notice when Mike publishes updates.

Do not go away, as we still need to do cleanups and closure.

Share this post


Link to post
Share on other sites

okay i just finished all that,so it is now safe to browse? what about online purchasing, logging into sites i use frequently etc?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.