Jump to content

The security center service cannot be started and browser hijack


Recommended Posts

Maniac was helping me with this problem previously.

I have already has a previous post about this topic that his been closed but I am in the process of having the thread reopened. Sorry about that but I got really busy and had to put it on hold for a bit. Here is a link to it:

http://forums.malwarebytes.org/index.php?showtopic=107396&st=0&p=535406&hl=knight78&fromsearch=1entry535406

In any case, I was able to use combofix and my log is attached at the bottom. After it finished the log file though, none of my files or programs would work at first and said they were part of a registry that was marked for deletion. I saved the log on a flash drive and restarted the computer. Programs and files worked after that but I still cannot turn on the firewall. Is this normal after using combofix? I need some guidance.

Thanks a ton as always.

ComboFix 12-03-30.06 - Wheels 03/30/2012 16:21:39.2.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1789.1150 [GMT -4:00]

Running from: c:\users\Wheels\Downloads\SpywareMalware_Tools\ComboFix.exe

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\Skype

c:\skype\SkypeSetup.exe

c:\windows\system32\dds_trash_log.cmd

c:\windows\system32\drivers\etc\lmhosts

.

.

((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-30 )))))))))))))))))))))))))))))))

.

.

2012-03-30 20:36 . 2012-03-30 20:36 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-03-18 17:59 . 2012-03-18 17:59 -------- d--h--w- c:\programdata\Common Files

2012-03-18 17:57 . 2012-03-30 19:33 -------- d-----w- c:\windows\system32\drivers\AVG

2012-03-18 17:54 . 2012-03-30 19:36 -------- d-----w- c:\programdata\MFAData

2012-03-18 16:24 . 2012-03-30 20:12 -------- d-----w- C:\TDSSKiller_Quarantine

2012-03-16 18:21 . 2012-03-16 18:21 -------- d-----w- c:\windows\Sun

2012-03-16 04:03 . 2012-03-16 04:03 -------- d-----w- c:\users\Wheels\AppData\Local\ElevatedDiagnostics

2012-03-13 16:49 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll

2012-03-13 16:49 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-30 20:14 . 2011-06-17 08:05 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys

2012-03-18 16:26 . 2008-01-21 02:24 184320 ----a-w- c:\windows\system32\drivers\netbt.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\users\Wheels\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\users\Wheels\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\users\Wheels\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-02-22 26101032]

"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]

"WallpaperSS"="c:\program files\WallpaperSS\WallpaperSS.exe" [2009-10-26 454288]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]

"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]

"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"NDSTray.exe"="NDSTray.exe" [bU]

"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-20 136544]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 1983816]

"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-01-13 981680]

"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]

.

c:\users\Wheels\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\Wheels\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

USB_RNDIS

s716obex

pdagent

MailService

symevent

ARCSOFTVIRTUALCAPTURE

atinrvxx

EACSys

sis162u

isdrv120

pxfhmdfl

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C97751B1-BF63-4867-87FB-49B72502DBCD}]

2003-08-13 09:03 710 ----a-r- c:\program files\Microsoft Office\Office10\OfficeXPFirstRun.vbs

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3622529714-1796868253-3439364594-1000Core.job

- c:\users\Wheels\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-16 20:27]

.

2012-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3622529714-1796868253-3439364594-1000UA.job

- c:\users\Wheels\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-16 20:27]

.

.

------- Supplementary Scan -------

.

uLocal Page = \blank.htm

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

TCP: DhcpNameServer = 192.168.10.1

DPF: {7340F0E4-AEDA-47C6-8971-9DB314030BD7} - hxxp://websp.hsc.wvu.edu/w/static/amc/h264_decoder.cab

DPF: {BA7A56EB-D1B9-443B-96E9-086532A378F1} - hxxp://websp.hsc.wvu.edu/w/static/amc/aac_decoder.cab

DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} - hxxp://websp.hsc.wvu.edu/w/static/amc/mpeg4_decoder.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://websp.hsc.wvu.edu/w/static/amc/amc.cab

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-TOSCDSPD - TOSCDSPD.EXE

HKCU-Run-Aim6 - (no file)

HKLM-Run-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe

HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe

SafeBoot-05827678.sys

SafeBoot-16570431.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-30 16:39

Windows 6.0.6001 Service Pack 1 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BFE]

"ImagePath"="."

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]

"ImagePath"="."

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3622529714-1796868253-3439364594-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

@Allowed: (Read) (RestrictedCode)

"??"=hex:05,0e,c8,ab,0a,88,bf,75,df,33,52,c6,2b,5f,bf,4c,50,9c,d4,d3,89,41,d2,

24,19,be,cb,a2,a2,61,21,8e,4b,ed,f4,f2,e8,2d,b4,2b,75,57,39,fc,6e,ab,38,c1,\

"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(2908)

c:\users\Wheels\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\WLANExt.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\toshiba\IVP\ISM\pinger.exe

c:\toshiba\IVP\swupdate\swupdtmr.exe

c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe

c:\windows\system32\TODDSrv.exe

c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe

c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe

.

**************************************************************************

.

Completion time: 2012-03-30 16:46:18 - machine was rebooted

ComboFix-quarantined-files.txt 2012-03-30 20:46

.

Pre-Run: 68,150,845,440 bytes free

Post-Run: 68,348,248,064 bytes free

.

- - End Of File - - 3ABD88C82C2E2030FE30D62B5CBD6E49

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.