HELP!!! VIRUS PREVENTS ME FROM INSTALLING ANTI-VIRUS!

Free Antivirus Forum - Learn about antivirus, firewalls and personal security

BullGuard Antivirus Forum > Virus Removal > Removal Help > HELP!!! VIRUS PREVENTS ME FROM INSTALLING ANTI-VIRUS!

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

kamran500
New Member

Date Joined May 2009
Total Posts : 11

Posted 5/28/2009 5:30 PM (GMT +3)

Hey, i've got some viruses and my computer and its disabled registry editing and crt alt delete, and i've tried to do a lot to get rid of it but everytime i try to install an antivirus it just makes an error or says it can't edit the name and rolls back the changes,

can anyone help me out?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 5/29/2009 6:49 AM (GMT +3)

Hello kamran500 smile

Please download combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please post it to your next reply.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

kamran500
New Member

Date Joined May 2009
Total Posts : 11

Posted 5/30/2009 12:46 AM (GMT +3)

Ok i tried to start up combofix but no prompts came up, then a blank blue notepad sort of program came up and then an application error message by ping.exe shows up saying

'the instruction at ''0x5a0030fa'' a referenced memory at ''0x00a6b380'', the memory could not be read''. click ok to terminate program'

after i clicked ok another error message came up saying

the instruction at ''0x5a0018d6'' a referenced memory at ''0x5a01fe04'', the memory could not be ''written''. click ok to terminate program'

and then i'm left with the blank blue program.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 5/30/2009 7:33 AM (GMT +3)

Try this scanner ->

Please download DDS: http://download.bleepingcomputer.com/sUBs/dds.scr

to your Desktop and doubleclick on DDs.scr to run it. If your security software includes script blocking features, please disable these before you run this utility.

When the scan has finished, two logs will open.

Copy and paste both reports in this topic.

The logs will be reasonably large so you may have to divide them into sections and make several posts to post them.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 6/1/2009 6:25 AM (GMT +3)

Good grief, what have you done shocked

The log is impossible to read.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

kamran500
New Member

Date Joined May 2009
Total Posts : 11

Posted 6/1/2009 7:22 PM (GMT +3)

lol it just came out like that on the notepad like thing, when i started up the screen saver thing you sent me

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 6/2/2009 1:59 PM (GMT +3)

I´ve deleted the log ;-)

Rigthclick on DDs.scr and rename it to DDs.com

Post new log, if it is readable

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

kamran500
New Member

Date Joined May 2009
Total Posts : 11

Posted 7/18/2009 11:05 PM (GMT +3)

sorry for taking so long to reply, ive been very busy

kamran500
New Member

Date Joined May 2009
Total Posts : 11

Posted 7/18/2009 11:06 PM (GMT +3)

DDS (Ver_09-05-14.01) - NTFSx86
Run by Kamran 2 at 12:23:19.53 on Sat 07/18/2009
Internet Explorer: 7.0.5730.11

============== Running Processes ===============

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.alot.com/?client_id=A49E342001C9CE65005CABC1&install_time=06-05-2009:17:13&src_id=11028&camp_id=162&tb_version=2.4.2.399
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,c:\windows\system32\twext.exe,c:\windows\system32\msupdt.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: MSN helper: {10c0b0c0-fc01-473b-8ebb-4376353f96e4} - bekbn.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: MS extension: {7c7efe99-c71f-48b8-8cc8-ba506ca76a33} - magks32.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton antivirus\NavShExt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
uRun: [SMSystemAnalyzer] "c:\program files\iolo\system mechanic professional 7\SMSystemAnalyzer.exe"
uRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SYS32DLL] SYS32DLL
uRun: [Internet Antivirus Pro] "c:\program files\internet antivirus pro\IAPro.exe" /s
uRun: [SYSDLL] SYSDLL
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [USIUDF_Eject_Monitor] c:\program files\common files\ulead systems\dvd\USISrv.exe
mRun: [Ulead Quick-Drop] "c:\program files\ulead systems\ulead dvd moviefactory 4.0 suite\ulead quick-drop 1.0\Quick-Drop.exe" WINDOWCALL
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [Norton] c:\program files\asus\wlan card utilities\NorExec.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUN
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [sysldtray] c:\windows\ld08.exe
mRun: [brastia] brastia.exe
dRun: [svc] c:\program files\thunmail\testabd.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} - hxxps://signup.msn.com/pages/MsnInstC.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://www.runaware.com/dolphin/wficat.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141481718203
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - hxxp://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

==================== Find3M ====================

2009-06-03 17:44 17,408 a------- c:\windows\system32\SYSDLL.exe
2009-05-31 20:36 70,144 a------- c:\windows\system32\inform.dat
2009-05-31 20:36 42,496 a------- c:\windows\system32\bekbn.dll
2009-05-29 22:26 388,608 a------- c:\windows\system32\CF12432.exe
2009-05-29 22:10 388,608 a------- c:\windows\system32\CF9294.exe
2009-05-29 22:04 17,408 a------- c:\windows\st_1243640061.exe
2009-05-29 22:04 388,608 a------- c:\windows\system32\CF8271.exe
2009-05-28 15:12 17,408 a------- c:\windows\st_1243534364.exe
2009-05-28 15:04 15,872 a------- c:\windows\st_1243551312.exe
2009-05-28 11:13 17,408 a------- c:\windows\st_1243508593.exe
2009-05-27 13:31 34,304 a------- c:\windows\system32\magks32.dll
2009-05-27 12:47 17,408 a------- c:\windows\st_1243452725.exe
2009-05-27 11:00 124,928 a------- c:\windows\system32\sopidkc.exe
2009-05-27 11:00 158,720 a------- c:\windows\system32\tpsaxyd.exe
2009-05-27 07:14 36,864 a------- c:\windows\system32\dpcxool64.sys
2009-05-26 23:41 17,408 a------- c:\windows\st_1243388353.exe
2009-05-26 22:30 17,408 a------- c:\windows\st_1243403935.exe
2009-05-26 21:37 23,040 a------- c:\windows\system32\file.exe
2009-05-25 17:06 14,848 a---h--- c:\windows\ld08.exe
2009-05-24 15:25 23,552 ----h--- c:\windows\romeo15.exe
2009-05-24 15:25 41,984 ----h--- c:\windows\freddy43.exe
2009-05-20 17:35 13,312 ----h--- c:\windows\pp10.exe
2009-05-19 15:33 5,453 a------- c:\windows\st_1242762082.exe
2009-05-19 15:33 5,461 a------- c:\windows\st_1242743654.exe
2009-05-19 15:23 28,672 a------- c:\program files\common files\file.exe
2009-05-19 15:23 2,270,756 a------- c:\program files\common files\InternetAntivirusPro.exe
2009-05-19 15:20 13,312 ----h--- c:\windows\pp09.exe
2009-05-19 14:35 12,800 ----h--- c:\windows\pp08.exe
2009-05-18 15:03 16,384 a------- c:\windows\st_1242673882.exe
2009-05-18 15:03 16,896 a------- c:\windows\st_1242655454.exe
2009-05-05 15:01 10,752 ----h--- c:\windows\pp06.exe
2009-05-03 12:58 4,812 a------- c:\docume~1\kamran~1\applic~1\wklnhst.dat
2009-04-22 15:33 34,304 a------- c:\windows\system32\fow64.dll
2007-12-07 19:23 92,040 a------- c:\docume~1\kamran~1\applic~1\GDIPFONTCACHEV1.DAT
2006-05-03 10:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2009-04-05 18:41 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 12:24:02.21 ===============

kamran500
New Member

Date Joined May 2009
Total Posts : 11

Posted 7/18/2009 11:06 PM (GMT +3)

it says the other file should be attached but i dont know how to attach it

kamran500
New Member

Date Joined May 2009
Total Posts : 11

Posted 7/18/2009 11:31 PM (GMT +3)

should i just copy and paste the stuff that was on the attach file?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 7/19/2009 7:55 AM (GMT +3)

No need for attach file now.

Please download http://swandog46.geekstogo.com/avenger2/download.php

by Swandog46 to your Desktop.

Click on Avenger.zip to open the file

Extract avenger2.exe to your desktop

Start Avenger

--------------------------------------------------------

Files to delete:

c:\windows\system32\SYSDLL.exe

c:\windows\system32\inform.dat

c:\windows\system32\bekbn.dll

c:\windows\system32\CF12432.exe

c:\windows\system32\CF9294.exe

c:\windows\st_1243640061.exe

c:\windows\system32\CF8271.exe

c:\windows\st_1243534364.exe

c:\windows\st_1243551312.exe

c:\windows\st_1243508593.exe

c:\windows\system32\magks32.dll

c:\windows\st_1243452725.exe

c:\windows\system32\sopidkc.exe

c:\windows\system32\tpsaxyd.exe

c:\windows\system32\dpcxool64.sys

c:\windows\st_1243388353.exe

c:\windows\st_1243403935.exe

c:\windows\system32\file.exe

c:\windows\ld08.exe

c:\windows\romeo15.exe

c:\windows\freddy43.exe

c:\windows\pp10.exe

c:\windows\st_1242762082.exe

c:\windows\st_1242743654.exe

c:\program files\common files\file.exe

c:\program files\common files\InternetAntivirusPro.exe

c:\windows\pp09.exe

c:\windows\pp08.exe

c:\windows\st_1242673882.exe

c:\windows\st_1242655454.exe

c:\windows\pp06.exe

c:\windows\system32\sdra64.exe

c:\windows\system32\twext.exe

c:\windows\system32\msupdt.exe

Folders to delete:
c:\program files\ares
c:\program files\internet antivirus pro

------------------------------------------------------

Copy/Paste all the text in Bold into the main window

Click Execute

The Avenger will automatically do the following:

It will Restart your computer.

On reboot, it will briefly open a black command window on your desktop, this is normal.

After the restart, it creates a log file that should open with the results of Avenger’s actions.

This log file will be located at C:\avenger.txt

Post C:\avenger.txt in next reply.

If you can run combofix now, please do:

Download combofix here ->

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before Saving it to Desktop, please rename it to 321.com to stop malware from disabling it.

Post that log, along with avenger txt

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

kamran500
New Member

Date Joined May 2009
Total Posts : 11

Posted 7/19/2009 1:10 PM (GMT +3)

i tried to start up avenger but it won't let me

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 7/19/2009 1:42 PM (GMT +3)

Rename it to anger.com and see if it will run.

Otherwise try this:

Download and run combofix here ->

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before Saving it to Desktop, please rename it to 321.com to stop malware from disabling it.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

kamran500
New Member

Date Joined May 2009
Total Posts : 11

Posted 7/19/2009 2:41 PM (GMT +3)

thanks for all the help my computers back to normal and everything works again now

Billy111890
New Member

Date Joined Apr 2010
Total Posts : 1

Posted 4/20/2010 5:28 AM (GMT +3)

ComboFix 10-04-18.04 - Billy Cunningham 04/19/2010 20:55:16.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1743 [GMT -5:00]
Running from: c:\users\Billy Cunningham\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1979162389-1941881892-3831843016-500
c:\$recycle.bin\S-1-5-21-427780325-685722781-619065541-500
c:\users\Billy Cunningham\AppData\Roaming\CyberDefender
c:\users\Billy Cunningham\AppData\Roaming\CyberDefender\Registry Cleaner\lastresults.cdr
c:\windows\system32\spool\prtprocs\w32x86\00002d18.tmp
c:\windows\system32\Thumbs.db
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-20 02:06 . 2010-04-20 02:07 -------- d-----w- c:\users\Billy Cunningham\AppData\Local\temp
2010-04-20 02:06 . 2010-04-20 02:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-19 23:55 . 2010-04-19 23:55 -------- d-----w- c:\windows\Sun
2010-04-19 22:47 . 2010-04-19 22:47 1721704 ----a-w- c:\programdata\TOSHIBA\TSS\Plugins\SwUpdates\Packages\5d4dcd63-0e0d-46f3-850e-c0d1ea03fb21\143450_13.13.48.os2010009a_150.exe
2010-04-19 22:44 . 2010-04-19 22:46 24579968 ----a-w- c:\programdata\TOSHIBA\TSS\Plugins\SwUpdates\Packages\ccc50d41-4e71-426e-be0a-5163de4e5d12\165734_11.30.03.TC00174800D.exe
2010-04-19 22:37 . 2010-04-19 22:37 680 ----a-w- c:\users\Billy Cunningham\AppData\Local\d3d9caps.dat
2010-04-19 16:24 . 2010-04-19 16:24 -------- d-----w- c:\program files\Google
2010-04-19 04:04 . 2010-04-19 04:04 95768 ----a-w- c:\users\Billy Cunningham\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-19 02:33 . 2010-04-19 02:33 -------- d-----w- c:\users\Billy Cunningham\AppData\Local\SDLSDWWR
2010-04-14 22:58 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 22:58 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 22:58 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 22:57 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 22:57 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 22:57 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 22:57 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 22:57 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 22:57 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 10:35 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 10:35 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AcrobatUpdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 23:57 . 2009-09-05 22:41 1 ----a-w- c:\users\Billy Cunningham\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-19 16:27 . 2010-01-10 06:17 -------- d-----w- c:\program files\Common Files\AOL
2010-04-19 16:24 . 2009-05-04 03:34 -------- d-----w- c:\program files\Picasa2
2010-04-17 05:43 . 2009-11-10 05:31 -------- d-----w- c:\users\Billy Cunningham\AppData\Roaming\vlc
2010-04-17 04:01 . 2009-09-06 00:20 -------- d-----w- c:\users\Billy Cunningham\AppData\Roaming\BitTorrent
2010-04-08 16:36 . 2009-09-17 01:37 -------- d-----w- c:\users\Billy Cunningham\AppData\Roaming\Skype
2010-04-08 16:19 . 2009-09-17 01:40 -------- d-----w- c:\users\Billy Cunningham\AppData\Roaming\skypePM
2010-03-24 18:37 . 2010-03-13 00:48 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-24 18:37 . 2010-03-13 00:48 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-13 02:12 . 2010-03-13 00:48 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-13 00:48 . 2010-03-13 00:48 22328 ----a-w- c:\users\Billy Cunningham\AppData\Roaming\PnkBstrK.sys
2010-03-13 00:48 . 2010-03-13 00:48 22328 ----a-w- c:\users\Billy Cunningham\AppData\Roaming\PnkBstrK.sys
2010-03-13 00:48 . 2009-05-04 03:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-08 02:53 . 2010-03-08 02:53 -------- d-----w- c:\users\Billy Cunningham\AppData\Roaming\Turbine
2010-03-07 19:11 . 2010-03-07 19:07 -------- d-----w- c:\programdata\PMB Files
2010-02-27 17:57 . 2010-02-27 17:57 -------- d-----w- c:\users\Billy Cunningham\AppData\Roaming\Unity
2010-02-24 15:16 . 2009-10-04 01:15 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-31 11:46 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 11:46 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 11:46 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 11:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 23:26 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 23:25 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 23:26 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-11 17:54 . 2009-05-04 03:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-23 09:26 . 2010-02-24 20:55 2048 ----a-w- c:\windows\system32\tzres.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-09-05 20:43 . 2009-09-05 20:43 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2009-09-05 20:42 . 2009-09-05 20:42 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2008-01-21 49664]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 135680]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-03-07 2937528]
"StartServiceSDLSDWWR"="c:\users\Billy Cunningham\AppData\Local\SDLSDWWR\StartService.exe" [2010-04-19 475136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-13 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-13 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-13 154136]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-03-07 468320]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-12-18 448376]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-03-23 729088]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-18 1451304]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-04-17 2513472]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-03-25 163840]
"Teco"="c:\program files\TOSHIBA\TECO\Teco.exe" [2009-04-15 1318912]
"NDSTray.exe"="c:\program files\TOSHIBA\ConfigFree\NDSTray.exe" [2009-03-17 304496]
"cfFncEnabler.exe"="c:\program files\TOSHIBA\ConfigFree\cfFncEnabler.exe" [2009-03-24 16384]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe" [2009-03-24 1007616]
"TPCHWMsg"="c:\program files\TOSHIBA\TPHM\TPCHWMsg.exe" [2009-04-10 570736]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-01 1283384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-06 7600672]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-07-06 1833504]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2010-02-05 454400]
"NetFxUpdate_v1.1.4322"="c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" [2004-08-10 106496]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logicool SetPoint.lnk - c:\program files\Logicool\SetPoint\SetPoint.exe [2009-9-15 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):df,96,33,c6,2b,30,ca,01

S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 camsvc;TOSHIBA Web Camera Service;c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [2009-04-17 20544]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [2010-02-05 742144]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-02-19 57344]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-04-01 62776]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-04-15 176128]
S2 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-03-17 73728]
S2 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-04-10 656752]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-03-21 12920]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-05-29 4233728]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-03-18 22272]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Billy Cunningham\AppData\Roaming\Mozilla\Firefox\Profiles\ij8nzvq8.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\users\Billy Cunningham\AppData\Roaming\Mozilla\Firefox\Profiles\ij8nzvq8.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CyberDefender Registry Cleaner - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 21:07
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys >>UNKNOWN [0x88D858C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x89f15d24
\Driver\ACPI -> acpi.sys @ 0x8069ad68
\Driver\atapi -> ataport.SYS @ 0x828f49f4
\Driver\iaStor -> iaStor.sys @ 0x82858352
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-04-19 21:10:57
ComboFix-quarantined-files.txt 2010-04-20 02:10

Pre-Run: 225,030,328,320 bytes free
Post-Run: 225,316,483,072 bytes free

- - End Of File - - 8F7915E4DF8A7DA1A5105A1659580120

Help me? Or have I fixed by running combofix

Forum Information

Currently it is Wednesday, May 22, 2013 11:42 PM (GMT +3)
There are a total of 59,524 posts in 13,140 threads.
In the last 3 days there were 2 new threads and 7 reply posts. View Active Threads