tysonboh Posted July 5, 2012 ID:567186 Share Posted July 5, 2012 (edited) Hi, last saturday, a pop up box appeared, wanting me to open something called windows command processor, i clicked no, then it instantly popped up again, and continued to do so, after a quick search i realised it was a virus, i followed some online instructions, doing things like downloading rkill and malwarebytes, and using both in safe mode to remove the virus, yet it has not removed it, the pop up keeps appearing when i boot in normal mode. so i came here for help. also take note that i have not accepted the pop up box once, i exit it everytime untill it goes down into the toolbar.i ran the log things on the DDS program as well, here are the two logs.any help would be greatly appreciated, as this is a major inconvience to me. thanks.DDS (Ver_2011-08-26.01) - NTFSx86 NETWORKInternet Explorer: 8.0.6001.19272 BrowserJavaVersion: 1.6.0_29Run by USER at 22:23:36 on 2012-07-05.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\explorer.exeC:\Windows\regedit.exeC:\Program Files\Mozilla Firefox\plugin-container.exeC:\Users\USER\Downloads\dds.scrC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted.============== Pseudo HJT Report ===============.uSearch Page = hxxp://www.google.comuStart Page = hxxp://www.facebook.com/uSearch Bar = hxxp://www.google.com/ieuDefault_Search_URL = hxxp://www.google.com/ieuInternet Settings,ProxyOverride = *.localuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%suURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dlluURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dllmURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dllmURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dllBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: Complitly: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\users\user\appdata\roaming\complitly\Complitly.dllBHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dllBHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dllBHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dllBHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dllBHO: Complitly: {d27fc31c-6e3d-4305-8d53-acdaefa5f862} - c:\users\user\appdata\roaming\complitly\Complitly.dllBHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllBHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllTB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dllTB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dllTB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllTB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dllTB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dllEB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dlluRun: [TOSCDSPD] TOSCDSPD.EXEuRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZEDuRun: [Facebook Update] "c:\users\user\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserveruRun: [ehTray.exe] c:\windows\ehome\ehTray.exeuRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /cuRun: [HbxTfbyd] c:\users\user\appdata\local\cujhubpm\hbxtfbyd.exeuRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11e_Plugin.exe -update pluginmRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hidemRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /STARTmRun: [NDSTray.exe] NDSTray.exemRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exemRun: [RtHDVCpl] RtHDVCpl.exemRun: [skytel] Skytel.exemRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXEmRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exemRun: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exemRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exemRun: [FingerPrintNotifer] "c:\program files\truesuite access manager\FpNotifier.exe"mRun: [usbMonitor] "c:\program files\truesuite access manager\usbnotify.exe"mRun: [PwdBank] "c:\program files\truesuite access manager\PwdBank.exe"mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /startmRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"mRun: [<NO NAME>]mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logonmRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logonmRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /runmRunOnce: [GrpConv] grpconv -omPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)mPolicies-system: DisableCAD = 1 (0x1)IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLLIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabTCP: DhcpNameServer = 192.168.88.1TCP: Interfaces\{67546975-2D87-494D-AB3C-65D4D5547D83} : DhcpNameServer = 192.168.88.1TCP: Interfaces\{9B623AC4-5DD2-4064-99A8-EBC993945FAC} : DhcpNameServer = 192.168.88.1.================= FIREFOX ===================.FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLLFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dllFF - plugin: c:\users\user\appdata\local\facebook\video\skype\npFacebookVideoCalling.dllFF - plugin: c:\users\user\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dllFF - plugin: c:\users\user\appdata\locallow\unity\webplayer\loader\npUnity3D32.dllFF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\plugins\np-mswmp.dllFF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\extensions\battlefieldheroespatcher@ea.com\plugins\npBFHUpdater.dll.============= SERVICES / DRIVERS ===============.R? Authentec memory manager;Authentec memory manager serviceR? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86R? ConfigFree Service;ConfigFree ServiceR? EraserUtilRebootDrv;EraserUtilRebootDrvR? FontCache;Windows Font Cache ServiceR? IDSvix86;Symantec Intrusion Prevention DriverR? massfilter;ZTE Mass Storage Filter DriverR? MozillaMaintenance;Mozilla Maintenance ServiceR? SBSDWSCService;SBSD Security Center ServiceR? Symantec Core LC;Symantec Core LCR? SYMNDISV;SYMNDISVR? TOSHIBA SMART Log Service;TOSHIBA SMART Log ServiceR? TrojanKillerDriver;GridinSoft Trojan Killer DriverR? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0R? ZTEusbnet;ZTE USB-NDIS miniportS? AlfaFF;AlfaFF mini-filter driverS? FwLnk;FwLnk DriverS? NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit.=============== Created Last 30 ================.2012-07-04 12:45:59 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys2012-07-04 05:22:09 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f7bdeaaa-f8e4-4513-a34e-69a86815d46a}\mpengine.dll2012-06-30 10:46:38 -------- d-----w- c:\program files\GridinSoft Trojan Killer2012-06-30 05:00:24 93708 --s---w- c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exe2012-06-22 01:25:24 2422272 ----a-w- c:\windows\system32\wucltux.dll2012-06-22 01:24:37 88576 ----a-w- c:\windows\system32\wudriver.dll2012-06-22 01:24:25 33792 ----a-w- c:\windows\system32\wuapp.exe2012-06-22 01:24:25 171904 ----a-w- c:\windows\system32\wuwebv.dll2012-06-20 08:09:42 -------- d-----w- c:\program files\Microsoft XNA2012-06-20 08:09:25 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll2012-06-20 08:09:25 517448 ----a-w- c:\windows\system32\XAudio2_4.dll2012-06-20 08:09:24 235352 ----a-w- c:\windows\system32\xactengine3_4.dll2012-06-20 08:09:24 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll2012-06-20 08:09:22 81768 ----a-w- c:\windows\system32\xinput1_3.dll2012-06-20 08:09:22 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll2012-06-20 08:09:20 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll2012-06-20 08:07:57 -------- d-----w- c:\program files\Superfighters Deluxe2012-06-19 10:09:04 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll2012-06-19 10:09:04 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll2012-06-14 07:58:07 984064 ----a-w- c:\windows\system32\crypt32.dll2012-06-14 07:58:06 98304 ----a-w- c:\windows\system32\cryptnet.dll2012-06-14 07:58:06 133120 ----a-w- c:\windows\system32\cryptsvc.dll2012-06-14 07:24:12 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys2012-06-14 07:24:10 2045440 ----a-w- c:\windows\system32\win32k.sys.==================== Find3M ====================.2012-05-15 06:37:49 916992 ----a-w- c:\windows\system32\wininet.dll2012-05-15 06:32:25 43520 ----a-w- c:\windows\system32\licmgr10.dll2012-05-15 06:32:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2012-05-15 06:31:44 109056 ----a-w- c:\windows\system32\iesysprep.dll2012-05-15 06:31:43 71680 ----a-w- c:\windows\system32\iesetup.dll2012-05-15 05:01:56 385024 ----a-w- c:\windows\system32\html.iec2012-05-15 03:26:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe2012-05-15 03:23:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb2012-04-24 11:50:49 737280 ----a-w- c:\windows\iun6002.exe.============= FINISH: 22:24:52.84 ===============.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2011-08-26.01).Microsoft® Windows Vista™ Home PremiumBoot Device: \Device\HarddiskVolume2Install Date: 9/09/2011 10:17:24 AMSystem Uptime: 5/07/2012 10:05:16 PM (0 hours ago).Motherboard: Intel Corp. | | Base Board Product NameProcessor: Intel® Core™2 Duo CPU T5750 @ 2.00GHz | CPU | 2120/667mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 179 GiB total, 13.358 GiB free.D: is CDROM ().==== Disabled Device Manager Items =============.Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}Description: Microsoft Tun Miniport AdapterDevice ID: ROOT\*TUNMP\0001Manufacturer: MicrosoftName: Teredo Tunneling Pseudo-InterfacePNP Device ID: ROOT\*TUNMP\0001Service: tunmp.==== System Restore Points ===================..==== Installed Programs ======================..Adobe Flash Player 10 ActiveXAdobe Flash Player 11 PluginAdobe Reader 8.1.0Adobe Shockwave Player 11.6AppCoreApple Application SupportApple Mobile Device SupportApple Software UpdateAsk ToolbarATI Catalyst Install ManagerµTorrentAudacity 2.0AVAviSynth 2.5Battlefield HeroesBluetooth Stack for Windows by ToshibaBonjourCamera Assistant Software for ToshibaCanon Easy-WebPrint EXCanon Inkjet Printer/Scanner/Fax Extended Survey ProgramCanon MOV DecoderCanon MOV EncoderCanon MovieEdit Task for ZoomBrowser EXCanon MP Navigator EX 3.0Canon MP270 series MP DriversCanon Utilities Digital Photo Professional 3.10Canon Utilities Easy-PhotoPrint EXCanon Utilities EOS UtilityCanon Utilities EOS Video Snapshot Task for ZoomBrowser EXCanon Utilities Movie Uploader for YouTubeCanon Utilities My PrinterCanon Utilities PhotoStitchCanon Utilities Picture Style EditorCanon Utilities Solution MenuCanon Utilities ZoomBrowser EXCanon ZoomBrowser EX Memory Card UtilityCatalyst Control Center - BrandingCatalyst Control Center Core ImplementationCatalyst Control Center Graphics Full ExistingCatalyst Control Center Graphics Full NewCatalyst Control Center Graphics LightCatalyst Control Center Graphics Previews VistaCatalyst Control Center Localization Chinese StandardCatalyst Control Center Localization Chinese TraditionalCatalyst Control Center Localization DutchCatalyst Control Center Localization FrenchCatalyst Control Center Localization GermanCatalyst Control Center Localization ItalianCatalyst Control Center Localization JapaneseCatalyst Control Center Localization KoreanCatalyst Control Center Localization PortugueseCatalyst Control Center Localization SpanishCatalyst Control Center Localization Swedishccc-core-staticccc-utilityCCC Help Chinese StandardCCC Help Chinese TraditionalCCC Help DutchCCC Help EnglishCCC Help FrenchCCC Help GermanCCC Help ItalianCCC Help JapaneseCCC Help KoreanCCC Help PortugueseCCC Help SpanishCCC Help SwedishccCommonCD/DVD Drive Acoustic SilencerCDisplay 1.8Celtx (2.9.1)Comical 0.8ComicRack v0.9.153ComplitlyDVD MovieFactory for TOSHIBAFacebook Video Calling 1.2.0.159FM Tuner UtilityFreecorder 2.3 (with Skype Call Recording)Freecorder 5Freecorder ToolbarGoogle ChromeHandBrake 0.9.6Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)Intel® Matrix Storage ManageriTunesJava Auto UpdaterJava™ 6 Update 29Java™ 6 Update 3LiveUpdate 3.2 (Symantec Corporation)LiveUpdate Notice (Symantec Corporation)Malwarebytes Anti-Malware version 1.61.0.1400Microsoft .NET Framework 3.5 SP1Microsoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 ExtendedMicrosoft Office Standard Edition 2003Microsoft SQL Server Native ClientMicrosoft SQL Server Setup Support Files (English)Microsoft SQL Server VSS WriterMicrosoft Visual C++ 2005 RedistributableMicrosoft XML ParserMicrosoft XNA Framework Redistributable 3.1Mozilla Firefox 13.0.1 (x86 en-US)Mozilla Maintenance ServiceMSRedistMSXML 4.0 SP2 (KB941833)MSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)Norton AntiVirusNorton Confidential Browser ComponentNorton Confidential Web Protection ComponentNorton Internet SecurityNorton Internet Security (Symantec Corporation)Norton Protection CenterPando Media BoosterPunkBuster ServicesQuickTimeRealtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows VistaRealtek High Definition Audio DriverRICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Extended (KB2487367)Security Update for Microsoft .NET Framework 4 Extended (KB2656351)Security Update for Windows Media Encoder (KB2447961)SkinsSPBBC 32bitSpybot - Search & DestroySuperfighters Deluxe Pre-AlphaswMSMSymantec Real Time Storage Protection ComponentSymNetSynaptics Pointing Device DriverTOSHIBA AssistTOSHIBA ConfigFreeTOSHIBA Disc CreatorTOSHIBA DVD PLAYERTOSHIBA Extended Tiles for Windows Mobility CenterTOSHIBA Face RecognitionTOSHIBA Hardware SetupTOSHIBA Recovery Disc CreatorTOSHIBA SD Memory UtilitiesTOSHIBA Speech System ApplicationsTOSHIBA Speech System SR Engine(U.S.) Version1.0TOSHIBA Speech System TTS Engine(U.S.) Version1.0TOSHIBA Supervisor PasswordTOSHIBA Value Added PackageTrojan KillerTrueSuite Access ManagerUnity Web PlayerUpdate for Microsoft .NET Framework 3.5 SP1 (KB963707)Update for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft .NET Framework 4 Extended (KB2468871)Update for Microsoft .NET Framework 4 Extended (KB2533523)Update for Microsoft .NET Framework 4 Extended (KB2600217)uTorrentBar ToolbarVLC media player 2.0.1Windows Driver Package - Cmotech (cmusbnet) Net (06/11/2007 2.0.0.9)Windows Driver Package - Cmotech Modem (12/13/2006 2.0.3.5)Windows Driver Package - Cmotech Ports (12/13/2006 2.0.3.5)Windows Media Encoder 9 Series.==== Event Viewer Messages From Past Week ========.5/07/2012 10:07:57 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.5/07/2012 10:07:18 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl SPBBCDrv spldr SRTSPX SYMTDI Wanarpv65/07/2012 10:07:18 PM, Error: Service Control Manager [7001] - The Windows Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.5/07/2012 10:07:18 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.5/07/2012 10:06:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}5/07/2012 10:06:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}5/07/2012 10:06:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}5/07/2012 10:06:21 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}5/07/2012 10:06:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}5/07/2012 10:05:57 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .5/07/2012 10:05:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}4/07/2012 3:50:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}.==== End Of File =========================== Edited July 5, 2012 by Maurice Naggar Logs In-line Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 5, 2012 ID:567199 Share Posted July 5, 2012 Hello tysonboh,Going forward, do NOT attach log/reports. Always Copy & Paste contents into main-body of reply-box !Tell me if you have a current license for Norton/Symantec, or whether this pc used to have a trial version of some Symantec app ??Please follow my guidance. Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or >> from here << Quit all programs that you may have started. Please disconnect any USB or external drives from the computer before you run this scan! For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.For Windows XP, double-click to start. Wait until Prescan has finished ... Then Click on Scan button at upper right of screen. Wait until the Status box shows "Scan Finished" Click on Report and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[1].txt on your DesktopExit/Close RogueKiller Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 5, 2012 ID:567201 Share Posted July 5, 2012 P.S.Your logs showed some peer-to-peer filesharing apps: uTorrent. I do not recommend the use of P-2-P programs since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.Risks of File-Sharing Technology.P2P file sharing: Know the risksDe-install (remove) uTorrent and any other peer-to-peer app AND confirm doing so.I would also recommend the removal of the ASK toolbar.All of this is just a starter. There's a whole lot of things to follow.Do NOT do any websurfing, NO online banking, NO online transactions.Just only go to this forum and the websites I guide you to. Link to post Share on other sites More sharing options...
tysonboh Posted July 5, 2012 Author ID:567203 Share Posted July 5, 2012 yes i did have norton antivirus, which has recently expired and i was yet to renew my subscription.also here is the log from the recently asked scan.RogueKiller V7.6.2 [07/02/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits versionStarted in : Safe mode with network supportUser: USER [Admin rights]Mode: Scan -- Date: 07/05/2012 23:40:19¤¤¤ Bad processes: 0 ¤¤¤¤¤¤ Registry Entries: 4 ¤¤¤[sUSP PATH] HKCU\[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND[sUSP PATH] HKUS\S-1-5-21-862659715-177543783-37968287-1003[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver: [NOT LOADED] ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤127.0.0.1 localhost::1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: FUJITSU MHY2200BH +++++--- User ---[MBR] 7df079e97d313bc9037b9c8b17b36d9c[bSP] 59cdd0f62e430d3ee99792baf5e868e5 : Windows Vista MBR CodePartition table:0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 182987 Mo2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 377831424 | Size: 6286 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[1].txt >>RKreport[1].txt Link to post Share on other sites More sharing options...
tysonboh Posted July 5, 2012 Author ID:567206 Share Posted July 5, 2012 also i uninstalled utorrent, yet was unable to uninstall the ask toolbar Link to post Share on other sites More sharing options...
tysonboh Posted July 5, 2012 Author ID:567207 Share Posted July 5, 2012 also, whilst doing all of this, would you like me to stay in safe mode with networking? its what im in at the moment. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 5, 2012 ID:567211 Share Posted July 5, 2012 For the time being, Safe Mode with Networking is ok. Please try to do the following ....if possible.... and then post and await my next reply.Use your browser to go here at Virustotal websiteClick the Choose File button and then navigate to C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe, then click the Scan it button.The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.==Use your browser to go here at VirSCAN.org websiteClick the Browse button and then navigate to C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe, then click the Upload button.Save the results, and post back here in a reply. Link to post Share on other sites More sharing options...
tysonboh Posted July 5, 2012 Author ID:567214 Share Posted July 5, 2012 nothing happened when i clicked on the browse or choose file buttons on both websites, using firefox, but then i switched to internet explorer and it worked, the results from the first website were File already analysedThis file was already analysed by VirusTotal on 2012-06-30 01:17:27.Detection ratio: 3/42You can take a look at the last analysis or analyse it again now.i then clicked to look at the last analysis and it said SHA256: 4c88fa0048c8ab984c6a8ec730b11332cafcb5d9d5805772aba6d22fb1cd6cf1 SHA1: f1816ff44af8796ebfa1addc391b4554d9d45eed MD5: 98ec79dd327cba948331972d5d69ea8a File size: 91.5 KB ( 93708 bytes ) File name: 00ED56ED0C8ACB406ED701A8D72FB900F260307A.exe File type: Win32 EXE Detection ratio: 3 / 42 Analysis date: 2012-06-30 01:17:27 UTC ( 5 days, 12 hours ago ) then i did the scan on the second website and these were the resultsVirSCAN.org Scanned Report :Scanned time : 2012/07/06 00:09:02 (EST)Scanner results: 28% Scanner(s) (10/36) found malware!File Name : hbxtfbyd.exeFile Size : 93708 byteFile Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bitMD5 : 98ec79dd327cba948331972d5d69ea8aSHA1 : f1816ff44af8796ebfa1addc391b4554d9d45eedOnline report : http://r.virscan.org/0056c89a479de0644ce16b58c1d26363Scanner Engine Ver Sig Ver Sig Date Time Scan resulta-squared 5.1.0.4 20120705120340 2012-07-05 9.62 Backdoor.Win32.Azbreg!IKAhnLab V3 ... .. -- 0.44 -AntiVir 8.2.10.80 7.11.32.106 2012-06-09 0.17 -Antiy 2.0.18 2.0.18. 0002-18-00 0.27 -Arcavir 2011 201206041805 2012-06-04 4.47 -Authentium 5.1.1 201207050736 2012-07-05 1.77 -AVAST! 4.7.4 120704-1 2012-07-04 0.21 Win32:Rootkit-gen [Rtk]AVG 12.0.1787 2437/5112 2012-07-05 0.44 BackDoor.Generic15.BGUUBitDefender 7.90123.7.90123 7.90123 2012-07-05 0.17 -ClamAV 0.97.3 15110 2012-07-05 0.26 -Comodo 5.1 12837 2012-07-05 2.83 -CP Secure 1.3.0.5 2012.07.05 2012-07-05 0.50 -Dr.Web 7.0.2.4281 2012.07.03 2012-07-03 13.03 -F-Prot 4.6.2.117 20120702 2012-07-02 1.07 -F-Secure 7.02.73807 2012.07.05.01 2012-07-05 0.22 -Fortinet 4.3.392 15.797 2012-07-04 0.22 W32/Azbreg.ARX!tr.bdrGData 22.5501 20120705 2012-07-05 5.34 -ViRobot 20120704 2012.07.04 2012-07-04 0.40 -Ikarus T3.1.32.20.0 2012.07.05.81674 2012-07-05 5.99 Backdoor.Win32.AzbregJiangMin 13.0.900 2012.07.04 2012-07-04 2.17 -Kaspersky 5.5.10 2012.07.01 2012-07-01 0.25 Backdoor.Win32.Azbreg.arxKingSoft 2009.2.5.15 2012.7.5.9 2012-07-05 0.88 -McAfee 5400.1158 6762 2012-07-04 8.63 Generic.dx!b2x4Microsoft 1.8502 2012.07.05 2012-07-05 4.15 -NOD32 3.0.21 7273 2012-07-05 0.17 Win32/Ramnit.A virusPanda 9.05.01 2012.07.05 2012-07-05 5.01 -Trend Micro 9.500-1005 9.236.02 2012-07-04 0.22 -Quick Heal 11.00 2012.07.04 2012-07-04 1.20 Backdoor.Azbreg.arxRising 20.0 24.17.01.03 2012-07-03 2.92 -Sophos 3.32.0 4.78 2012-07-05 5.39 -Sunbelt 3.9.2540.2 12173 2012-07-04 0.97 Trojan.Win32.Generic!BTSymantec 1.3.0.24 20120704.002 2012-07-04 0.43 -nProtect 20120704.01 11565106 2012-07-04 1.34 -The Hacker 6.8.0.0 v00050 2012-07-04 0.71 -VBA32 3.12.18.0 20120705.0834 2012-07-05 4.04 -VirusBuster 5.5.1.3 15.0.85.0/9045113 2012-07-05 0.23 - Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 5, 2012 ID:567221 Share Posted July 5, 2012 Good thinking on the usage of IE browser <w>This system has what appears to be a backdoor trojan infection. This likely can be cleaned up. BUT "if" it has a Ramnit virus infection, those are not cureable !This is a point where you need to decide about whether to make a clean start.According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.You are strongly advised to do the following immediately.1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.* Take any other steps you think appropriate for an attempted identity theft.You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh. While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions. You may "want to consider" a full reformat and reinstall of Windows rather than clean the system.Let me know what you decide !Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojanDanger: Remote Access Trojans http://www.microsoft...o/virusrat.mspxConsumers – Identity Theft http://www.ftc.gov/b...mers/index.htmlWhen should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspxHelp: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspxHelp: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspxMicrosoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp Link to post Share on other sites More sharing options...
tysonboh Posted July 5, 2012 Author ID:567225 Share Posted July 5, 2012 okay, well i guess i would first like to try and clean up this virus if possible, this isnt really a computer used for any online bankings etc, the only thing close to that is the occasional ebay purchase which i havent done in a while (long before getting the virus). its mainly a recreational use kind of computer for surfing the internet etc.so what options do i really have? it would be good to just be able to try and clean the virus up and i might get some of the main things off the computer that i want, then maybe reset it from there. but also i have not accepted that pop up once, does that make any difference to the case? the pop-up is the only thing that occurs which i cancel everytime, nothing else happens. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 5, 2012 ID:567230 Share Posted July 5, 2012 Reposting this since the one just earlier has an alignment issue !!I'll proceed to squash this malware, if you will follow my guide. Just by the way, anytime you have a "rogue" and when it is in the foreground, press ALT & hold & then F4 key on keyboard. Just do not click any "buttons" on the rogue-window itself.Not a show-stopper. Run this script and then let it finish. If it does finish without a hitch, I need for you to run a new (fresh) DDS & post just the DDS.txt (Copy & Paste).I will have more for you afterwards.We Need to Run a Batch ScriptPress the Windows-key on keyboard.In the box, type notepad and press Enter.Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.sc stop HbxTfbydsc delete HbxTfbydattrib -s c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exeren c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exe hbxtfbyd.exxattrib -s C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exeren C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe hbxtfbyd.exZdel /f /q "%~f0"Select File -> Save AS.Press the Desktop button on the left side of the save dialog.In the box, type in Fix.bat.Press .Close Notepad.Right click on your desktop, and choose .Press Yes if prompted by User Account Control. Link to post Share on other sites More sharing options...
tysonboh Posted July 5, 2012 Author ID:567231 Share Posted July 5, 2012 everything went well, heres the DDS.DDS (Ver_2011-08-26.01) - NTFSx86 NETWORKInternet Explorer: 8.0.6001.19272 BrowserJavaVersion: 1.6.0_29Run by USER at 1:03:40 on 2012-07-06Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2045.1432 [GMT 10:00].SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\Explorer.EXEC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uSearch Page = hxxp://www.google.comuStart Page = hxxp://www.facebook.com/uSearch Bar = hxxp://www.google.com/ieuDefault_Search_URL = hxxp://www.google.com/ieuInternet Settings,ProxyOverride = *.localuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%suURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dlluURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dllmURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dllmURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dllBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: Complitly: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\users\user\appdata\roaming\complitly\Complitly.dllBHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dllBHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dllBHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dllBHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dllBHO: Complitly: {d27fc31c-6e3d-4305-8d53-acdaefa5f862} - c:\users\user\appdata\roaming\complitly\Complitly.dllBHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllTB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dllTB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dllTB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllTB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dllTB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dllEB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dlluRun: [TOSCDSPD] TOSCDSPD.EXEuRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZEDuRun: [Facebook Update] "c:\users\user\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserveruRun: [ehTray.exe] c:\windows\ehome\ehTray.exeuRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /cuRun: [HbxTfbyd] c:\users\user\appdata\local\cujhubpm\hbxtfbyd.exemRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hidemRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /STARTmRun: [NDSTray.exe] NDSTray.exemRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exemRun: [RtHDVCpl] RtHDVCpl.exemRun: [skytel] Skytel.exemRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXEmRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exemRun: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exemRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exemRun: [FingerPrintNotifer] "c:\program files\truesuite access manager\FpNotifier.exe"mRun: [usbMonitor] "c:\program files\truesuite access manager\usbnotify.exe"mRun: [PwdBank] "c:\program files\truesuite access manager\PwdBank.exe"mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /startmRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"mRun: [<NO NAME>]mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logonmRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logonmRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /runStartupFolder: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exemPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)mPolicies-system: DisableCAD = 1 (0x1)IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLLIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabTCP: DhcpNameServer = 192.168.88.1TCP: Interfaces\{67546975-2D87-494D-AB3C-65D4D5547D83} : DhcpNameServer = 192.168.88.1TCP: Interfaces\{9B623AC4-5DD2-4064-99A8-EBC993945FAC} : DhcpNameServer = 192.168.88.1.================= FIREFOX ===================.FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLLFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dllFF - plugin: c:\users\user\appdata\local\facebook\video\skype\npFacebookVideoCalling.dllFF - plugin: c:\users\user\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dllFF - plugin: c:\users\user\appdata\locallow\unity\webplayer\loader\npUnity3D32.dllFF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\plugins\np-mswmp.dllFF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\1qolu3le.default\extensions\battlefieldheroespatcher@ea.com\plugins\npBFHUpdater.dll.============= SERVICES / DRIVERS ===============.R0 AlfaFF;AlfaFF mini-filter driver;c:\windows\system32\drivers\AlfaFF.sys [2011-9-8 43440]R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-2-12 7168]R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20111208.001\IDSvix86.sys [2011-12-9 287792]S2 Authentec memory manager;Authentec memory manager service;c:\windows\system32\TAMSvr.exe [2011-9-8 49152]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-26 40960]S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-9-9 1153368]S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-10 106104]S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-26 113120]S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2011-9-13 1251720]S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-8-3 38448]S3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\drivers\gtkdrv.sys [2012-1-5 16128]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504].=============== Created Last 30 ================.2012-07-05 13:21:11 -------- d-----w- c:\users\user\appdata\local\cujhubpm2012-07-04 12:45:59 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys2012-07-04 05:22:09 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f7bdeaaa-f8e4-4513-a34e-69a86815d46a}\mpengine.dll2012-06-30 10:46:38 -------- d-----w- c:\program files\GridinSoft Trojan Killer2012-06-30 05:00:24 93708 --s---w- c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hbxtfbyd.exe2012-06-22 01:25:24 2422272 ----a-w- c:\windows\system32\wucltux.dll2012-06-22 01:24:37 88576 ----a-w- c:\windows\system32\wudriver.dll2012-06-22 01:24:25 33792 ----a-w- c:\windows\system32\wuapp.exe2012-06-22 01:24:25 171904 ----a-w- c:\windows\system32\wuwebv.dll2012-06-20 08:09:42 -------- d-----w- c:\program files\Microsoft XNA2012-06-20 08:09:25 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll2012-06-20 08:09:25 517448 ----a-w- c:\windows\system32\XAudio2_4.dll2012-06-20 08:09:24 235352 ----a-w- c:\windows\system32\xactengine3_4.dll2012-06-20 08:09:24 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll2012-06-20 08:09:22 81768 ----a-w- c:\windows\system32\xinput1_3.dll2012-06-20 08:09:22 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll2012-06-20 08:09:20 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll2012-06-20 08:07:57 -------- d-----w- c:\program files\Superfighters Deluxe2012-06-19 10:09:04 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll2012-06-19 10:09:04 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll2012-06-14 07:58:07 984064 ----a-w- c:\windows\system32\crypt32.dll2012-06-14 07:58:06 98304 ----a-w- c:\windows\system32\cryptnet.dll2012-06-14 07:58:06 133120 ----a-w- c:\windows\system32\cryptsvc.dll2012-06-14 07:24:12 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys2012-06-14 07:24:10 2045440 ----a-w- c:\windows\system32\win32k.sys.==================== Find3M ====================.2012-05-15 06:37:49 916992 ----a-w- c:\windows\system32\wininet.dll2012-05-15 06:32:25 43520 ----a-w- c:\windows\system32\licmgr10.dll2012-05-15 06:32:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2012-05-15 06:31:44 109056 ----a-w- c:\windows\system32\iesysprep.dll2012-05-15 06:31:43 71680 ----a-w- c:\windows\system32\iesetup.dll2012-05-15 05:01:56 385024 ----a-w- c:\windows\system32\html.iec2012-05-15 03:26:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe2012-05-15 03:23:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb2012-04-24 11:50:49 737280 ----a-w- c:\windows\iun6002.exe.============= FINISH: 1:04:49.55 =============== Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 5, 2012 ID:567233 Share Posted July 5, 2012 (edited) We can stay in Safe Mode with Networking for a while. I'll have you restart into Normal mode at some point, soon.Step 11. Go >> Here << and download ERUNT(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)2. Install ERUNT by following the prompts(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)3. Start ERUNT by doing a Right-Click on it & select Run As Admisnistrator4. Choose a location for the backup(the default location is C:\WINDOWS\ERDNT which is acceptable).5. Make sure that at least the first two check boxes are ticked6. Press OK7. Press YES to create the folder.Step 2Show all files:Click the Start button, and then click Computer.On the Organize menu, click Folder and Search Options.Click the View tab.Locate and uncheck Hide file extensions for known file types.Locate and uncheck Hide protected operating system files (Recommended).Locate and click Show hidden files and folders.Click Apply > OK.Step 3Save and close any work documents, close any apps that you started.Start your MBAM MalwareBytes' Anti-Malware.Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.Next, Click the Update tab. Press the "Check for Updates" button.If prompted for a Restart, do that.When done, click the Scanner tab.Do a Quick Scan.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy and Paste this MBAM scan log in a reply.Now proceed to next step.Step 4Quit all programs that you may have started.Please disconnect any USB or external drives from the computer before you run this scan!Start ROGUEKILLER:For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.For Windows XP, double-click to start.Wait until Prescan has finished ...Then Click on Scan button at upper right of screen.Wait until the Status box shows "Scan Finished"Click on Report and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[2].txt on your DesktopExit/Close RogueKillerCopy and Paste RKReport2 into a new reply.and proceed to next step.Step 5You will want to print out or copy these instructions to Notepad for offline reference!These steps are for member tysonboh only. If you are a casual viewer, do NOT try this on your system!If you are not tysonboh and have a similar problem, do NOT post here; start your own topicDo not run or start any other programs while these utilities and tools are in use!Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.=Close any of your open programs while you run these tools.On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.If you have a prior copy of Combofix, delete it now Download Combofix from any of the links below, and SAVE it to your Desktop.Link 1Link 2**Note: It is important that it is saved directly to your Desktop and not run straight away from download **Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware ProgramsHave infinite patience during the run & scan by Combofix. It has many phases: some 50+ stagesIt will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS systemImportant: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.A caution - Do not run Combofix more than once.Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.If this occurs, please reboot to restore the desktop. A file will be created at => C:\Combofix.txt. Note:Do not mouseclick combofix's window nor run any program while Combofix is running.That may cause it to stall.Reply with a copy of the C:\Combofix.txt logRe-enable your antivirus app. Edited July 5, 2012 by Maurice Naggar Link to post Share on other sites More sharing options...
tysonboh Posted July 5, 2012 Author ID:567235 Share Posted July 5, 2012 i am unable to do step 2, there are no menus/above toolbar Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 5, 2012 ID:567236 Share Posted July 5, 2012 Press the ALT key to see menu options in Windows Explorer. Then try.If get stuck, move on to next step Link to post Share on other sites More sharing options...
tysonboh Posted July 5, 2012 Author ID:567238 Share Posted July 5, 2012 nevermind i fixed step 2 Link to post Share on other sites More sharing options...
tysonboh Posted July 5, 2012 Author ID:567250 Share Posted July 5, 2012 here is the scan from mbam, there were no infections found though.Malwarebytes Anti-Malware 1.61.0.1400www.malwarebytes.orgDatabase version: v2012.07.05.05Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)Internet Explorer 8.0.6001.19272USER :: USER-PC [administrator]6/07/2012 1:30:59 AMmbam-log-2012-07-06 (01-30-59).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 213855Time elapsed: 3 minute(s), 53 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)heres the roguekiller scanRogueKiller V7.6.2 [07/02/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits versionStarted in : Safe mode with network supportUser: USER [Admin rights]Mode: Scan -- Date: 07/06/2012 01:38:10¤¤¤ Bad processes: 0 ¤¤¤¤¤¤ Registry Entries: 4 ¤¤¤[sUSP PATH] HKCU\[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND[sUSP PATH] HKUS\S-1-5-21-862659715-177543783-37968287-1003[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver: [NOT LOADED] ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤127.0.0.1 localhost::1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: FUJITSU MHY2200BH +++++--- User ---[MBR] 7df079e97d313bc9037b9c8b17b36d9c[bSP] 59cdd0f62e430d3ee99792baf5e868e5 : Windows Vista MBR CodePartition table:0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 182987 Mo2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 377831424 | Size: 6286 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[2].txt >>RKreport[1].txt ; RKreport[2].txtnow as for step 5, as it may take a while, and its 1.45 in the morning here, im just going to turn off my computer right now and go to sleep and continue this in the morning, thanks for the help so far, but ill have to get back to this tomorrow. Link to post Share on other sites More sharing options...
tysonboh Posted July 6, 2012 Author ID:567412 Share Posted July 6, 2012 okay so here is the mbam logMalwarebytes Anti-Malware 1.61.0.1400www.malwarebytes.orgDatabase version: v2012.07.05.05Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)Internet Explorer 8.0.6001.19272USER :: USER-PC [administrator]6/07/2012 12:00:22 PMmbam-log-2012-07-06 (12-00-22).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 213789Time elapsed: 4 minute(s), 27 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)the roguekiller logRogueKiller V7.6.2 [07/02/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits versionStarted in : Safe mode with network supportUser: USER [Admin rights]Mode: Scan -- Date: 07/06/2012 12:06:04¤¤¤ Bad processes: 0 ¤¤¤¤¤¤ Registry Entries: 4 ¤¤¤[sUSP PATH] HKCU\[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND[sUSP PATH] HKUS\S-1-5-21-862659715-177543783-37968287-1003[...]\Run : HbxTfbyd (C:\Users\USER\AppData\Local\cujhubpm\hbxtfbyd.exe) -> FOUND[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver: [NOT LOADED] ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤127.0.0.1 localhost::1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: FUJITSU MHY2200BH +++++--- User ---[MBR] 7df079e97d313bc9037b9c8b17b36d9c[bSP] 59cdd0f62e430d3ee99792baf5e868e5 : Windows Vista MBR CodePartition table:0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 182987 Mo2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 377831424 | Size: 6286 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[3].txt >>RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txtand the combofix logComboFix 12-07-05.04 - USER 06/07/2012 12:12:49.1.2 - x86 NETWORKMicrosoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2045.1529 [GMT 10:00]Running from: c:\users\USER\Desktop\ComboFix.exeSP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\program files\Complitlyc:\program files\Complitly\chrome\ComplitlyChrome.crxc:\program files\Complitly\FireFoxExtension.exec:\program files\Complitly\InstTracker.exec:\program files\Complitly\support@Complitly.com\chrome.manifestc:\program files\Complitly\support@Complitly.com\chrome\content\appIcon.pngc:\program files\Complitly\support@Complitly.com\chrome\content\browserOverlay.xulc:\program files\Complitly\support@Complitly.com\chrome\content\options.jsc:\program files\Complitly\support@Complitly.com\chrome\content\options.xulc:\program files\Complitly\support@Complitly.com\chrome\content\utils.jsc:\program files\Complitly\support@Complitly.com\defaults\preferences\predictad.jsc:\program files\Complitly\support@Complitly.com\install.rdfc:\program files\Complitly\unins000.datc:\program files\Complitly\unins000.exec:\users\USER\AppData\Local\bclcobqq.logc:\users\USER\AppData\Local\hqynaqbm.logc:\users\USER\AppData\Local\ihgbsnfm.logc:\users\USER\AppData\Local\nsxrwhop.logc:\users\USER\AppData\Local\qlvjivut.logc:\users\USER\AppData\Local\uqqnymdj.logc:\users\USER\AppData\Local\vcqldfng.logc:\users\USER\AppData\Roaming\Lovec:\users\USER\AppData\Roaming\Love\mari0\options.txtc:\users\USER\AppData\Roaming\Love\not_tetris_2\highscoresA.txtc:\users\USER\AppData\Roaming\Love\not_tetris_2\highscoresB.txtc:\users\USER\AppData\Roaming\Love\not_tetris_2\options.txtc:\windows\iun6002.exe..((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))..2012-07-05 15:18 . 2012-07-05 15:19 -------- d-----w- c:\program files\ERUNT2012-07-05 13:21 . 2012-07-05 15:02 -------- d-----w- c:\users\USER\AppData\Local\cujhubpm2012-07-04 12:45 . 2008-07-30 07:42 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys2012-07-04 05:22 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F7BDEAAA-F8E4-4513-A34E-69A86815D46A}\mpengine.dll2012-06-30 10:46 . 2012-06-30 11:07 -------- d-----w- c:\program files\GridinSoft Trojan Killer2012-06-30 05:00 . 2012-06-30 05:00 93708 --s---w- c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hbxtfbyd.exe2012-06-22 01:25 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll2012-06-22 01:25 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe2012-06-22 01:25 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll2012-06-22 01:25 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll2012-06-22 01:24 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll2012-06-22 01:24 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll2012-06-22 01:24 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll2012-06-22 01:24 . 2012-06-02 05:19 171904 ----a-w- c:\windows\system32\wuwebv.dll2012-06-22 01:24 . 2012-06-02 05:12 33792 ----a-w- c:\windows\system32\wuapp.exe2012-06-20 08:09 . 2012-06-20 08:09 -------- d-----w- c:\program files\Microsoft XNA2012-06-20 08:09 . 2009-03-16 04:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll2012-06-20 08:09 . 2009-03-16 04:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll2012-06-20 08:09 . 2009-03-16 04:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll2012-06-20 08:09 . 2009-03-16 04:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll2012-06-20 08:09 . 2007-04-04 08:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll2012-06-20 08:09 . 2007-03-12 06:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll2012-06-20 08:09 . 2006-09-28 06:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll2012-06-20 08:07 . 2012-06-20 08:07 -------- d-----w- c:\program files\Superfighters Deluxe2012-06-19 10:09 . 2012-06-19 10:09 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll2012-06-19 10:09 . 2012-06-19 10:09 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll2012-06-14 07:58 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll2012-06-14 07:58 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll2012-06-14 07:58 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll2012-06-14 07:24 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys2012-06-14 07:24 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-06-19 10:09 . 2011-11-11 08:13 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936].[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}].[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}].[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]2011-05-09 08:49 176936 ----a-w- c:\program files\Freecorder\prxtbFre0.dll.[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]2011-05-09 09:49 176936 ----a-w- c:\program files\uTorrentBar\prxtbuTor.dll.[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]2011-08-23 10:20 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688]"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936].[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}].[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688].[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}].[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]2007-04-20 01:40 118784 ----a-w- c:\program files\TrueSuite Access Manager\IconOvrly.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Facebook Update"="c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-02-06 137536]"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]"NDSTray.exe"="NDSTray.exe" [bU]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]"RtHDVCpl"="RtHDVCpl.exe" [2008-01-29 4911104]"Skytel"="Skytel.exe" [2007-11-20 1826816]"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-15 448080]"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]"FingerPrintNotifer"="c:\program files\TrueSuite Access Manager\FpNotifier.exe" [2008-01-24 671744]"UsbMonitor"="c:\program files\TrueSuite Access Manager\usbnotify.exe" [2007-06-05 94208]"PwdBank"="c:\program files\TrueSuite Access Manager\PwdBank.exe" [2008-02-01 3150848]"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696]"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-08-23 887976]"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2011-03-24 167936].c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hbxtfbyd.exe [2012-6-30 93708].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"EnableUIADesktopToggle"= 0 (0x0)"DisableCAD"= 1 (0x1).[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001.--- Other Services/Drivers In Memory ---.*NewlyCreated* - COMHOST.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache.Contents of the 'Scheduled Tasks' folder.2012-07-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003Core.job- c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-06 05:59].2012-07-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003UA.job- c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-06 05:59].2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003Core.job- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 10:47].2012-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003UA.job- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 10:47].2012-06-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - USER.job- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 02:09].2012-07-05 c:\windows\Tasks\User_Feed_Synchronization-{F3431E30-F412-43CE-91E3-3CD359877F65}.job- c:\windows\system32\msfeedssync.exe [2012-06-14 03:24]..------- Supplementary Scan -------.uStart Page = hxxp://www.facebook.com/uDefault_Search_URL = hxxp://www.google.com/ieuInternet Settings,ProxyOverride = *.localuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000TCP: DhcpNameServer = 192.168.88.1FF - ProfilePath - c:\users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\1qolu3le.default\.- - - - ORPHANS REMOVED - - - -.HKCU-Run-TOSCDSPD - TOSCDSPD.EXEHKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exeHKCU-Run-HbxTfbyd - c:\users\USER\AppData\Local\cujhubpm\hbxtfbyd.exeAddRemove-Freecorder_1.0 - c:\windows\iun6002.exeAddRemove-{4FFBB818-B13C-11E0-931D-B2664824019B}_is1 - c:\program files\Complitly\unins000.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2012-07-06 12:18Windows 6.0.6002 Service Pack 2 NTFS.scanning hidden processes ... .scanning hidden autostart entries ....scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'Explorer.exe'(1928)c:\program files\TrueSuite Access Manager\IconOvrly.dll.Completion time: 2012-07-06 12:21:36ComboFix-quarantined-files.txt 2012-07-06 02:21.Pre-Run: 13,369,495,552 bytes freePost-Run: 13,484,347,392 bytes free.- - End Of File - - E54F07FAB8D43002BAE4302CF457585B Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 6, 2012 ID:567420 Share Posted July 6, 2012 You will want to print out or copy these instructions to Notepad for offline reference!I am going to have you get a fresh copy of Combofix, save it first, and then run a special script.There's still some stubborn malware laying about.Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsIf you have a prior copy of Combofix, delete it now !Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.Link 1Link 2Link 3* IMPORTANT !!! SAVE AS Combo-Fix.exe to your DesktopIf your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop. 1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Open notepad and copy/paste the text in the Code box below into it:http://forums.malwarebytes.org/index.php?showtopic=112037KILLALL::Collect::[4]c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hbxtfbyd.exeDriver::HbxTfbydFolder::c:\users\USER\AppData\Local\cujhubpmSave this as CFScript.txt, in the same location as ComboFix.exeRefering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.Step 2Start your MBAM MalwareBytes' Anti-Malware.Click the Settings Tab. Make sure all option lines have a checkmark.Next, Click the Update tab. Press the "Check for Updates" button.When done, click the Scanner tab.Do a Quick Scan.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Step 3Reply with the latest C:\Combofix.txtand the latest MBAM scan logand tell me, How is your system now ? Link to post Share on other sites More sharing options...
tysonboh Posted July 6, 2012 Author ID:567429 Share Posted July 6, 2012 okay so i did the combofix thing, and after it was done it must have restarted the computer, but it restarted in normal mode, in normal mode these blue combofix boxes kept flashing up all over the screen, after waiting a while i realised this wasnt right, turned it off and opened it again in safe mode with networking. combofix was up again but working properly and it finished its thing. heres the logComboFix 12-07-05.04 - USER 06/07/2012 12:58:40.1.2 - x86 NETWORKMicrosoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2045.1348 [GMT 10:00]Running from: c:\users\USER\Desktop\ComboFix.exeCommand switches used :: c:\users\USER\Desktop\CFScript.txtSP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point.file zipped: c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hbxtfbyd.exe..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\users\USER\AppData\Local\cujhubpmc:\users\USER\AppData\Local\cujhubpm\hbxtfbyd.exZc:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hbxtfbyd.exe..((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))..2012-07-06 03:02 . 2012-07-06 03:09 -------- d-----w- c:\users\USER\AppData\Local\temp2012-07-06 03:02 . 2012-07-06 03:02 -------- d-----w- c:\users\Mcx1\AppData\Local\temp2012-07-06 03:02 . 2012-07-06 03:02 -------- d-----w- c:\users\Default\AppData\Local\temp2012-07-05 15:18 . 2012-07-05 15:19 -------- d-----w- c:\program files\ERUNT2012-07-04 12:45 . 2008-07-30 07:42 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys2012-07-04 05:22 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F7BDEAAA-F8E4-4513-A34E-69A86815D46A}\mpengine.dll2012-06-30 10:46 . 2012-06-30 11:07 -------- d-----w- c:\program files\GridinSoft Trojan Killer2012-06-22 01:25 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll2012-06-22 01:25 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe2012-06-22 01:25 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll2012-06-22 01:25 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll2012-06-22 01:24 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll2012-06-22 01:24 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll2012-06-22 01:24 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll2012-06-22 01:24 . 2012-06-02 05:19 171904 ----a-w- c:\windows\system32\wuwebv.dll2012-06-22 01:24 . 2012-06-02 05:12 33792 ----a-w- c:\windows\system32\wuapp.exe2012-06-20 08:09 . 2012-06-20 08:09 -------- d-----w- c:\program files\Microsoft XNA2012-06-20 08:09 . 2009-03-16 04:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll2012-06-20 08:09 . 2009-03-16 04:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll2012-06-20 08:09 . 2009-03-16 04:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll2012-06-20 08:09 . 2009-03-16 04:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll2012-06-20 08:09 . 2007-04-04 08:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll2012-06-20 08:09 . 2007-03-12 06:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll2012-06-20 08:09 . 2006-09-28 06:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll2012-06-20 08:07 . 2012-06-20 08:07 -------- d-----w- c:\program files\Superfighters Deluxe2012-06-19 10:09 . 2012-06-19 10:09 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll2012-06-19 10:09 . 2012-06-19 10:09 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll2012-06-14 07:58 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll2012-06-14 07:58 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll2012-06-14 07:58 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll2012-06-14 07:24 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys2012-06-14 07:24 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-06-19 10:09 . 2011-11-11 08:13 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936].[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}].[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}].[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]2011-05-09 08:49 176936 ----a-w- c:\program files\Freecorder\prxtbFre0.dll.[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]2011-05-09 09:49 176936 ----a-w- c:\program files\uTorrentBar\prxtbuTor.dll.[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]2011-08-23 10:20 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688]"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936].[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}].[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-05-09 176936]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-23 1515688].[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}].[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]2007-04-20 01:40 118784 ----a-w- c:\program files\TrueSuite Access Manager\IconOvrly.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Facebook Update"="c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-02-06 137536]"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]"NDSTray.exe"="NDSTray.exe" [bU]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]"RtHDVCpl"="RtHDVCpl.exe" [2008-01-29 4911104]"Skytel"="Skytel.exe" [2007-11-20 1826816]"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-15 448080]"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]"FingerPrintNotifer"="c:\program files\TrueSuite Access Manager\FpNotifier.exe" [2008-01-24 671744]"UsbMonitor"="c:\program files\TrueSuite Access Manager\usbnotify.exe" [2007-06-05 94208]"PwdBank"="c:\program files\TrueSuite Access Manager\PwdBank.exe" [2008-02-01 3150848]"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696]"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-08-23 887976]"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-07 421736]"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2011-03-24 167936].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"EnableUIADesktopToggle"= 0 (0x0)"DisableCAD"= 1 (0x1).[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001.[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001.--- Other Services/Drivers In Memory ---.*NewlyCreated* - COMHOST*NewlyCreated* - ECACHE.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache.Contents of the 'Scheduled Tasks' folder.2012-07-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003Core.job- c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-06 05:59].2012-07-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003UA.job- c:\users\USER\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-06 05:59].2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003Core.job- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 10:47].2012-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862659715-177543783-37968287-1003UA.job- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 10:47].2012-06-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - USER.job- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 02:09].2012-07-05 c:\windows\Tasks\User_Feed_Synchronization-{F3431E30-F412-43CE-91E3-3CD359877F65}.job- c:\windows\system32\msfeedssync.exe [2012-06-14 03:24]..------- Supplementary Scan -------.uStart Page = hxxp://www.facebook.com/uDefault_Search_URL = hxxp://www.google.com/ieuInternet Settings,ProxyOverride = *.localuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000TCP: DhcpNameServer = 192.168.88.1FF - ProfilePath - c:\users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\1qolu3le.default\..**************************************************************************scanning hidden processes ... .scanning hidden autostart entries ....scanning hidden files ... .scan completed successfullyhidden files:.**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'Explorer.exe'(320)c:\program files\TrueSuite Access Manager\IconOvrly.dll.------------------------ Other Running Processes ------------------------.c:\program files\Windows Media Player\wmpnscfg.exe.**************************************************************************.Completion time: 2012-07-06 13:14:52 - machine was rebootedComboFix-quarantined-files.txt 2012-07-06 03:14ComboFix2.txt 2012-07-06 02:21.Pre-Run: 13,502,423,040 bytes freePost-Run: 13,271,773,184 bytes free.- - End Of File - - B4458361A748C3563EB63FA1AB6D1886Upload was successfulhere is the mbam scan.Malwarebytes Anti-Malware 1.61.0.1400www.malwarebytes.orgDatabase version: v2012.07.06.01Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)Internet Explorer 8.0.6001.19272USER :: USER-PC [administrator]6/07/2012 1:19:58 PMmbam-log-2012-07-06 (13-19-58).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 216364Time elapsed: 3 minute(s), 33 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)as for how is my system now, would you like me to reboot in normal mode and see if the pop-up still occurs or something ? Link to post Share on other sites More sharing options...
tysonboh Posted July 6, 2012 Author ID:567432 Share Posted July 6, 2012 okay so i went ahead a restarted the system in normal mode, no pop up so far. and really the pop up was the only thing showing me that i had the virus, there were no other problems occuring on my computer, so basically its running the exact same way, minus the pop-up. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 6, 2012 ID:567436 Share Posted July 6, 2012 (edited) Yes, you should be in Normal mode of Windows.now, you had said okay so i did the combofix thing, and after it was done it must have restarted the computer, but it restarted in normal mode, in normal mode these blue combofix boxes kept flashing up all over the screen, after waiting a while i realised this wasnt right, turned it off and opened it again in safe mode with networking. combofix was up again but working properly and it finished its thing. heres the logI hope you never again have an occasion to need to run Combofix......but, you should be made very aware of this....Combofix does a lot of work. and unless your Helper tells you otherwise, you should always allow it to restart on it's own and on it's own get back to Windows.It appears things are back to "normal"....meaning the rogue "command processor" trojan is gone.I believe much, much earlier you said your Norton license had expired. If still true, I would recommend you remove Norton antivirus and get either MS Security Essentials or Avira antivirus.Two good antivirus programs free for non-commercial home use are Avira Free Antivirus and Microsoft Security EssentialsNote: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.I would suggest you get either MSE or Avira.The sequence to use when switching antivirus is this:1) Download AND SAVE the setup program of the new antivirus. (Have it handy).2) Disconnect pc from internet3) De-install the old antivirus (in your case with XP, use the Add-or-Remove program & then locate it & un-install (remove)4) Make sure to Logoff and Restart Windows fresh.5) Run setup of new antivirus6) Logoff and Restart fresh7) Reconnect to internet7) start the new A-V, and do an Update run (to make sure it is all current)Watch your system closely for another 24 hours.Do not disappear, but return tomorrow to give me a new update; plus I need to convey to you the cleanup procedure. Edited July 6, 2012 by Maurice Naggar Link to post Share on other sites More sharing options...
tysonboh Posted July 6, 2012 Author ID:567467 Share Posted July 6, 2012 okay, ive uninstalled norton, put microsoft security essentials on and completely updated it, and now its doing a full scan, so far its taken about 3 hours and still going.so am i now able to use my computer for browsing still? or would it still be unsafe to log into websites i want to use etc. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 6, 2012 ID:567504 Share Posted July 6, 2012 After the scan finsihes, I highly recommend you get & apply the mvp hosts (below). After that, you may visit & browse but always be very careful to not be real quick to click links to unknown sites or questionable links.Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htmSteps to follow for the MVP Hosts file:1) Download and SAVE the zip file to a temporary folder2) Unzip (extract the contents) in the same folder3) Temporarily disable your antivirus program. Some antivirus apps will block changes to the Hosts file; so turn it off.4) After extract is complete, run mvps.bat batch file. This copies your pre-existing Hosts file to Hosts.mvp in the folder where Windows' Hosts residestypically, C:\WINDOWS\system32\drivers\etcand after that copy is saved, it replaces the old Hosts with the new one.And you should see (in the blue background command window) the following: _________________________________________________ ¦ +---+¦ ¦ THE MVPS HOSTS FILE IS NOW UPDATED ¦ v ¦¦ ¦ +---+¦ ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Previous version saved and renamed to HOSTS.MVPPress any key to continue . . .Find the folder where you saved the original download. Delete hosts.zip and a file folder there named hostsThe latter is the same folder that had mvps.bat5) Re-enable your antivirus app.The MVP Hosts file is updated from time to time. See http://msmvps.com/blogs/hostsnewsfor information. And you can also sign-up for email notice when Mike publishes updates.Do not go away, as we still need to do cleanups and closure. Link to post Share on other sites More sharing options...
tysonboh Posted July 6, 2012 Author ID:567515 Share Posted July 6, 2012 okay i just finished all that,so it is now safe to browse? what about online purchasing, logging into sites i use frequently etc? Link to post Share on other sites More sharing options...
Recommended Posts