Jump to content

Scvhost.exe | Infected Trojan.Agent


Amends

Recommended Posts

Tried removing this several times with Malwarebytes to no avail.

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 1.6.0_31

Run by Marcus at 11:40:11 on 2012-12-19

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4027.1231 [GMT -7:00]

.

AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\nvvsvc.exe

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\nvvsvc.exe

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\windows\system32\taskhost.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe

C:\windows\SysWOW64\svchost.exe -k Akamai

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Kodak\AiO\Center\ekdiscovery.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

C:\windows\System32\svchost.exe -k HPZ12

\\.\globalroot\systemroot\svchost.exe -netsvcs

C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\windows\system32\ThpSrv.exe

C:\Windows\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\Program Files\TOSHIBA\TECO\TecoService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\System32\ThpSrv.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files\TOSHIBA\TECO\Teco.exe

C:\windows\system32\svchost.exe -k WindowsMobile

C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\TOSHIBA\FlashCards\Hotkey\TcrdKBB.exe

C:\Users\Marcus\AppData\Local\Google\Update\1.3.21.123\GoogleCrashHandler.exe

C:\Users\Marcus\AppData\Local\Google\Update\1.3.21.123\GoogleCrashHandler64.exe

C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

C:\windows\system32\svchost.exe -k SDRSVC

C:\Program Files (x86)\iTunes\iTunes.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe

C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe

C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe

C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe

C:\windows\system32\wuauclt.exe

C:\Users\Marcus\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Marcus\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Marcus\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Marcus\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Marcus\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Marcus\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Marcus\AppData\Local\Temp\nsqF2D8.tmp\PEV.DAT

C:\Users\Marcus\AppData\Local\Temp\nseB868.tmp\PEV.DAT

C:\Users\Marcus\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Marcus\AppData\Local\Google\Chrome\Application\chrome.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\SearchFilterHost.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: BitComet Helper: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files (x86)\BitComet\tools\BitCometBHO_1.4.8.11.dll

BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coieplg.dll

BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ipsbho.dll

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coieplg.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coieplg.dll

uRun: [Google Update] "C:\Users\Marcus\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

uRun: [puush] C:\Program Files (x86)\puush\puush.exe

mRun: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe

mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP

mRun: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL

mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

mRun: [TSleepSrv] C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: &D&ownload &with BitComet - C:\Program Files (x86)\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all with BitComet - C:\Program Files (x86)\BitComet\BitComet.exe/AddAllLink.htm

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files (x86)\BitComet\tools\BitCometBHO_1.4.8.11.dll/206

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

.

INFO: HKLM has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{20EB0DA9-6EC3-49FE-AAEF-B335B074E73A} : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{20EB0DA9-6EC3-49FE-AAEF-B335B074E73A}\2375942554532313 : DHCPNameServer = 192.168.1.254

TCP: Interfaces\{20EB0DA9-6EC3-49FE-AAEF-B335B074E73A}\4527166756C6F6467656 : DHCPNameServer = 192.168.3.1

TCP: Interfaces\{20EB0DA9-6EC3-49FE-AAEF-B335B074E73A}\45C4D2D41494E4 : DHCPNameServer = 192.168.0.1

TCP: Interfaces\{20EB0DA9-6EC3-49FE-AAEF-B335B074E73A}\45C4D2E4F4254584D2D45393 : DHCPNameServer = 192.168.0.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll

x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll

x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\System32\NvCpl.dll,NvStartup

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3

x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [ThpSrv] C:\windows\System32\thpsrv /logon

x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE

x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe

x64-Run: [smoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe

x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe

x64-Run: [Teco] "C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe" /r

x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe

x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe

x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe

x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll

.

INFO: x64-HKLM has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab

x64-DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

x64-DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab

x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab

x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>

x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\e57wud0r.default\

FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn_2010_9_0_6\components\coFFPlgn.dll

FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll

FF - plugin: C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\NPCIG.dll

FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Marcus\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

---- FIREFOX POLICIES ----

FF - user.js: general.useragent.extra.brc - BRI/1

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;C:\windows\System32\drivers\N360x64\0404000.00C\symds64.sys [2011-10-31 433200]

R0 SymEFA;Symantec Extended File Attributes;C:\windows\System32\drivers\N360x64\0404000.00C\symefa64.sys [2011-10-31 221304]

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\System32\drivers\thpdrv.sys [2009-6-29 34880]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\System32\drivers\Thpevm.sys [2009-6-29 14784]

R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\System32\drivers\tos_sps64.sys [2010-6-14 482384]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20121130.005\BHDrvx64.sys [2012-12-4 1384608]

R1 ccHP;Symantec Hash Provider;C:\windows\System32\drivers\N360x64\0404000.00C\cchpx64.sys [2011-10-31 593544]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20121215.001\IDSviA64.sys [2012-12-17 513184]

R1 SymIRON;Symantec Iron Driver;C:\windows\System32\drivers\N360x64\0404000.00C\ironx64.sys [2011-10-31 150064]

R1 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\windows\System32\drivers\N360x64\0404000.00C\symtdiv.sys [2011-10-31 451704]

R2 Akamai;Akamai NetSession Interface;C:\windows\System32\svchost.exe -k Akamai [2009-7-13 27136]

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;C:\Program Files (x86)\Kodak\AiO\Center\ekdiscovery.exe [2010-9-13 308656]

R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ccsvchst.exe [2011-10-31 126400]

R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-11-22 3290304]

R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-4-6 258928]

R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\drivers\TVALZFL.sys [2009-6-19 14472]

R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-6-14 2320920]

R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-12-17 138912]

R3 HECIx64;Intel® Management Engine Interface;C:\windows\System32\drivers\HECIx64.sys [2010-6-14 56344]

R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2010-6-14 35008]

R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2010-6-14 331880]

R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\windows\System32\drivers\rtl8192se.sys [2010-6-14 1103904]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]

R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-2-23 835952]

S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-14 160944]

S3 acpials;ALS Sensor Filter;C:\windows\System32\drivers\acpials.sys [2009-7-14 9728]

S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;C:\windows\System32\drivers\BVRPMPR5a64.SYS [2012-10-24 35840]

S3 JMCR;JMCR;C:\windows\System32\drivers\jmcr.sys [2010-5-18 164464]

S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-6-14 51512]

S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2010-8-15 1255736]

.

=============== Created Last 30 ================

.

2012-12-19 17:54:23 20480 ------w- C:\windows\svchost.exe

2012-12-16 05:59:55 7168 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\35C9.tmp

2012-12-16 05:59:55 7168 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\35C8.tmp

2012-12-13 00:08:39 2048 ----a-w- C:\windows\SysWow64\tzres.dll

2012-12-13 00:07:59 362496 ----a-w- C:\windows\System32\wow64win.dll

2012-11-26 06:34:28 -------- d-----w- C:\Users\Marcus\AppData\Roaming\puush

2012-11-26 06:33:39 -------- d-----w- C:\Program Files (x86)\puush

.

==================== Find3M ====================

.

2012-11-22 08:20:36 3147264 ----a-w- C:\windows\System32\win32k.sys

2012-11-14 06:11:44 2312704 ----a-w- C:\windows\System32\jscript9.dll

2012-11-14 06:04:11 1392128 ----a-w- C:\windows\System32\wininet.dll

2012-11-14 06:02:49 1494528 ----a-w- C:\windows\System32\inetcpl.cpl

2012-11-14 05:57:46 599040 ----a-w- C:\windows\System32\vbscript.dll

2012-11-14 05:57:35 173056 ----a-w- C:\windows\System32\ieUnatt.exe

2012-11-14 05:52:40 2382848 ----a-w- C:\windows\System32\mshtml.tlb

2012-11-14 02:09:22 1800704 ----a-w- C:\windows\SysWow64\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- C:\windows\SysWow64\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe

2012-11-14 01:48:27 420864 ----a-w- C:\windows\SysWow64\vbscript.dll

2012-11-14 01:44:42 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb

2012-11-09 05:34:27 2048 ----a-w- C:\windows\System32\tzres.dll

2012-11-05 16:25:51 46080 ----a-w- C:\windows\System32\atmlib.dll

2012-11-05 14:17:16 367616 ----a-w- C:\windows\System32\atmfd.dll

2012-11-05 14:03:21 295424 ----a-w- C:\windows\SysWow64\atmfd.dll

2012-11-05 14:03:13 34304 ----a-w- C:\windows\SysWow64\atmlib.dll

2012-11-02 05:27:51 478208 ----a-w- C:\windows\System32\dpnet.dll

2012-11-02 04:48:28 376832 ----a-w- C:\windows\SysWow64\dpnet.dll

2012-10-16 21:20:49 135168 ----a-w- C:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 21:20:46 347648 ----a-w- C:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 20:34:37 559104 ----a-w- C:\windows\apppatch\AcLayers.dll

2012-10-04 17:38:56 243200 ----a-w- C:\windows\System32\wow64.dll

2012-10-04 17:38:56 13312 ----a-w- C:\windows\System32\wow64cpu.dll

2012-10-04 17:38:24 215040 ----a-w- C:\windows\System32\winsrv.dll

2012-10-04 17:35:22 16384 ----a-w- C:\windows\System32\ntvdm64.dll

2012-10-04 17:32:16 425984 ----a-w- C:\windows\System32\KernelBase.dll

2012-10-04 16:54:18 5120 ----a-w- C:\windows\SysWow64\wow32.dll

2012-10-04 16:54:17 274944 ----a-w- C:\windows\SysWow64\KernelBase.dll

2012-10-04 15:19:57 338432 ----a-w- C:\windows\System32\conhost.exe

2012-10-04 14:49:27 25600 ----a-w- C:\windows\SysWow64\setup16.exe

2012-10-04 14:49:24 7680 ----a-w- C:\windows\SysWow64\instnm.exe

2012-10-04 14:49:22 2048 ----a-w- C:\windows\SysWow64\user.exe

2012-10-04 14:49:22 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll

2012-10-04 14:44:29 6144 ---ha-w- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-10-04 14:44:29 4608 ---ha-w- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-10-04 14:44:29 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-10-04 14:44:29 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

2012-09-30 01:54:26 25928 ----a-w- C:\windows\System32\drivers\mbam.sys

2012-09-25 22:39:14 95744 ----a-w- C:\windows\System32\synceng.dll

2012-09-25 21:55:17 78336 ----a-w- C:\windows\SysWow64\synceng.dll

.

============= FINISH: 11:42:11.20 ===============

attach.txt

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Link to post
Share on other sites

RogueKiller V8.4.0 [Dec 18 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User : Marcus [Admin rights]

Mode : Scan -- Date : 12/19/2012 12:20:27

¤¤¤ Bad processes : 3 ¤¤¤

[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]

[sUSP PATH] GoogleCrashHandler.exe -- C:\Users\Marcus\AppData\Local\Google\Update\1.3.21.123\GoogleCrashHandler.exe -> KILLED [TermProc]

[sUSP PATH] GoogleCrashHandler64.exe -- C:\Users\Marcus\AppData\Local\Google\Update\1.3.21.123\GoogleCrashHandler64.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤

[RUN][sUSP PATH] HKUS\S-1-5-21-2000211158-3236653940-1397710115-1000[...]\Run : GenieoUpdaterService ("C:\Users\Marcus\AppData\Roaming\Genieo\Application\Updater\bin\genupdater.exe" -wait 5) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-2000211158-3236653940-1397710115-1000[...]\Run : GenieoSystemTray ("C:\Users\Marcus\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe") -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-2000211158-3236653940-1397710115-1000[...]\Run : Exent_SDM (C:\Users\UpdatusUser\AppData\Local\Temp\SDM143\Free Ride Games.exe "l 'Startup' u 'hxxp://www.freeridegames.com/do/SDMC?action=config&type=FULLSTARTUP&contentId=586350&sId=w3i_us_games_nolaunch' p '143' c '466550'") -> FOUND

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[sCREENSV][sUSP PATH] HKCU\[...]\Desktop (C:\windows\es.scr) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

127.0.0.1 www.100sexlinks.com

127.0.0.1 100sexlinks.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK6465GSX +++++

--- User ---

[MBR] ba3c88b3ada06a85ed9ee0146a5c15b9

[bSP] 0fb40993228c7952e86dd534666e748f : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 598098 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1227978752 | Size: 10881 Mo

User != LL1 ... KO!

--- LL1 ---

[MBR] cd7a8e38b34b28c35455ccec73e40738

[bSP] 0fb40993228c7952e86dd534666e748f : Windows Vista MBR Code

Partition table:

1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 598098 Mo

3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1227978752 | Size: 10881 Mo

User != LL2 ... KO!

--- LL2 ---

[MBR] cd7a8e38b34b28c35455ccec73e40738

[bSP] 0fb40993228c7952e86dd534666e748f : Windows Vista MBR Code

Partition table:

1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 598098 Mo

3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1227978752 | Size: 10881 Mo

Finished : << RKreport[1]_S_12192012_02d1220.txt >>

RKreport[1]_S_12192012_02d1220.txt

Link to post
Share on other sites

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

That's good news but we're not done yet.

First > can you post the logs from MBAR

Then................

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Here's the ComboFix log

ComboFix 12-12-20.02 - Marcus 12/20/2012 10:00:43.1.8 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4027.1437 [GMT -7:00]

Running from: c:\users\Marcus\Desktop\ComboFix.exe

AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\Microsoft\Windows\DRM\35C8.tmp

c:\programdata\Microsoft\Windows\DRM\35C9.tmp

c:\users\Marcus\.COMMgr

c:\users\Marcus\AppData\Roaming\RSBot.db

c:\windows\security\Database\tmp.edb

.

.

((((((((((((((((((((((((( Files Created from 2012-11-20 to 2012-12-20 )))))))))))))))))))))))))))))))

.

.

2012-12-13 00:08 . 2012-11-09 05:34 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-13 00:07 . 2012-10-04 17:38 362496 ----a-w- c:\windows\system32\wow64win.dll

2012-11-26 06:34 . 2012-11-26 06:34 -------- d-----w- c:\users\Marcus\AppData\Roaming\puush

2012-11-26 06:33 . 2012-11-26 06:35 -------- d-----w- c:\program files (x86)\puush

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-13 10:16 . 2010-09-28 05:54 67413224 ----a-w- c:\windows\system32\MRT.exe

2012-10-16 21:20 . 2012-11-28 06:52 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 21:20 . 2012-11-28 06:52 347648 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 20:34 . 2012-11-28 06:52 559104 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-10-04 16:45 . 2012-12-13 00:08 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2012-09-30 01:54 . 2012-10-20 00:08 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-25 22:39 . 2012-11-16 05:06 95744 ----a-w- c:\windows\system32\synceng.dll

2012-09-25 21:55 . 2012-11-16 05:06 78336 ----a-w- c:\windows\SysWow64\synceng.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

"puush"="c:\program files (x86)\puush\puush.exe" [2012-11-26 565480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2009-12-25 34160]

"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-04 423936]

"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-02-23 352256]

"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"Z1"="c:\users\Marcus\Desktop\mbar\mbar.exe" [2012-12-04 1342312]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.exe [2012-06-11 193616]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [x]

R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-11-22 3290304]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-14 160944]

R3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-14 9728]

R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2009-10-01 35840]

R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-06-25 52320]

R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2010-05-18 164464]

R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-15 1255736]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0404000.00C\SYMDS64.SYS [2009-10-15 433200]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0404000.00C\SYMEFA64.SYS [2011-08-22 221304]

S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-06-29 34880]

S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-29 14784]

S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2010-03-06 482384]

S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20121130.005\BHDrvx64.sys [2012-10-23 1384608]

S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360x64\0404000.00C\ccHPx64.sys [2011-08-04 593544]

S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20121215.001\IDSvia64.sys [2012-09-06 513184]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0404000.00C\Ironx64.SYS [2010-04-29 150064]

S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360x64\0404000.00C\SYMTDIV.SYS [2011-08-22 451704]

S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]

S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files (x86)\Kodak\AiO\Center\ekdiscovery.exe [2010-09-14 308656]

S2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe [2011-08-04 126400]

S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-04-06 258928]

S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]

S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]

S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe [2012-06-11 240208]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-09 138912]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]

S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-05-03 331880]

S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2010-04-27 1103904]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]

S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000211158-3236653940-1397710115-1002Core.job

- c:\users\Marcus\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-12 19:14]

.

2012-12-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000211158-3236653940-1397710115-1002UA.job

- c:\users\Marcus\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-12 19:14]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="c:\windows\system32\thpsrv" [X]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-05-05 17412200]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-22 10134560]

"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-03-22 896032]

"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: &D&ownload &with BitComet - c:\program files (x86)\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all with BitComet - c:\program files (x86)\BitComet\BitComet.exe/AddAllLink.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\e57wud0r.default\

FF - user.js: general.useragent.extra.brc - BRI/1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKLM-Run-TSleepSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE

HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe

HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe

HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe

HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe

HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]

"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\4.4.0.12\diMaster.dll\" /prefetch:1"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]

"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_ce5ba24.dll"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-12-20 10:25:02

ComboFix-quarantined-files.txt 2012-12-20 17:25

.

Pre-Run: 277,194,059,776 bytes free

Post-Run: 276,820,373,504 bytes free

.

- - End Of File - - D5DC88C3CA36B0CC9A2089F04487EE89

Link to post
Share on other sites

Looks Good...lets check the system for any adware.......

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC

Link to post
Share on other sites

# AdwCleaner v2.101 - Logfile created 12/20/2012 at 11:14:03

# Updated 16/12/2012 by Xplode

# Operating system : Windows 7 Home Premium (64 bits)

# User : Marcus - MARCUS-PC

# Boot Mode : Normal

# Running from : C:\Users\Marcus\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

File Found : C:\Program Files (x86)\Mozilla Firefox\.autoreg

Folder Found : C:\ProgramData\Partner

Folder Found : C:\ProgramData\WeCareReminder

Folder Found : C:\Users\Marcus\AppData\Local\Smartbar

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Crossrider

Key Found : HKCU\Software\cacaoweb

Key Found : HKLM\Software\Conduit

Key Found : HKLM\Software\Freeze.com

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}

Key Found : HKLM\SOFTWARE\Software

Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v3.6.24 (en-US)

Profile name : default

File : C:\Users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\e57wud0r.default\prefs.js

Found : user_pref("extensions.illimitux.ilx_pref_pt_veoh", true);

Found : user_pref("extensions.vshareus@toolbar.update.enabled", false);

-\\ Google Chrome v23.0.1271.97

File : C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1538 octets] - [20/12/2012 11:14:03]

########## EOF - C:\AdwCleaner[R1].txt - [1598 octets] ##########

Link to post
Share on other sites

Some adware found....lets clear it out.....

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Then...........

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.