I'm infected!

[petbluedragon]

DDS.txt

DDS.txt

Helping a friend figure out a virus. All icons and program listings are gone. Everything seems to be there, as I can open explorer and see files and programs. Any help would be appreciated!

Thanks!

Attach.txt

[screen317]

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt directly in your reply.

[petbluedragon]

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt directly in your reply.

Sorry about that. I can't install MBAM on the computer. It won't actually let me install anything. Not even as the administrator.

Here is the DDS.txt that I just ran:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL

Internet Explorer: 9.0.8112.16421

Run by Test at 18:54:45 on 2011-11-01

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4044.3094 [GMT -5:00]

.

AV: SymantecAntiVirus *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: SymantecAntiVirus *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe

C:\windows\system32\svchost.exe -k NetworkService

C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe

C:\windows\Explorer.EXE

C:\windows\system32\ctfmon.exe

C:\windows\helppane.exe

C:\windows\system32\DllHost.exe

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\conhost.exe

C:\windows\SysWOW64\cscript.exe

C:\windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://start.toshiba.com/?cid=C001B2Y

uDefault_Page_URL = hxxp://start.toshiba.com/?cid=C001B2Y

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"

mRun: [vptray] C:\PROGRA~2\SYMANT~1\VPTray.exe

mRun: [nFEDeRLYbhvow.exe] C:\ProgramData\nFEDeRLYbhvow.exe

StartupFolder: C:\Users\Test\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\BESTBU~1.LNK - C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: DisableTaskMgr = 1 (0x1)

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: DhcpNameServer = 68.87.77.134 68.87.72.134

TCP: Interfaces\{2E92F091-7CF9-4276-B28F-BE5CD05A0EBF} : DhcpNameServer = 128.101.101.101 134.84.84.84

TCP: Interfaces\{FA3530ED-77AE-4BAB-9C81-2E0B83A258A8} : DhcpNameServer = 68.87.77.134 68.87.72.134

TCP: Interfaces\{FA3530ED-77AE-4BAB-9C81-2E0B83A258A8}\34869607F647C656D274 : DhcpNameServer = 192.168.20.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll

BHO-X64: Symantec NCO BHO - No File

BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL

BHO-X64: Symantec Intrusion Prevention - No File

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRun-x64: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"

mRun-x64: [vptray] C:\PROGRA~2\SYMANT~1\VPTray.exe

mRun-x64: [nFEDeRLYbhvow.exe] C:\ProgramData\nFEDeRLYbhvow.exe

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]

R2 Symantec AntiVirus;Symantec AntiVirus;C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe [2009-9-16 1961768]

R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]

R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]

R3 QIOMem;Generic IO & Memory Access;C:\windows\system32\DRIVERS\QIOMem.sys --> C:\windows\system32\DRIVERS\QIOMem.sys [?]

S1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-3 136176]

S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\Toshiba\TECO\TecoService.exe [2011-3-2 266680]

S2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-7-3 2656280]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-10-26 136824]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-3 136176]

S3 IntcDAud;Intel® Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\system32\DRIVERS\L1C62x64.sys --> C:\windows\system32\DRIVERS\L1C62x64.sys [?]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]

S3 RSUSBVSTOR;RTSUVSTOR.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RTSUVSTOR.sys --> C:\windows\system32\Drivers\RTSUVSTOR.sys [?]

S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\system32\DRIVERS\rtl8192Ce.sys --> C:\windows\system32\DRIVERS\rtl8192Ce.sys [?]

S3 SrvHsfHDA;SrvHsfHDA;C:\windows\system32\DRIVERS\VSTAZL6.SYS --> C:\windows\system32\DRIVERS\VSTAZL6.SYS [?]

S3 SrvHsfV92;SrvHsfV92;C:\windows\system32\DRIVERS\VSTDPV6.SYS --> C:\windows\system32\DRIVERS\VSTDPV6.SYS [?]

S3 SrvHsfWinac;SrvHsfWinac;C:\windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\windows\system32\DRIVERS\VSTCNXT6.SYS [?]

S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-7-3 54136]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-12-8 137632]

S3 TPCHSrv;TPCH Service;C:\Program Files\Toshiba\TPHM\TPCHSrv.exe [2010-12-20 822704]

S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2011-10-31 00:05:12 -------- d-----w- C:\Users\Test\AppData\Local\TOSHIBA

2011-10-31 00:05:12 -------- d-----w- C:\Users\Test\AppData\Local\Symantec

2011-10-31 00:04:49 -------- d-----w- C:\Users\Test\AppData\Local\VirtualStore

2011-10-30 23:06:21 -------- d-----w- C:\Users\Test\AppData\Roaming\Malwarebytes

2011-10-27 00:34:10 322960 ---ha-w- C:\ProgramData\6DSS92c31Apgjk.exe

2011-10-27 00:18:29 397200 ---ha-w- C:\ProgramData\nFEDeRLYbhvow.exe

2011-10-22 23:10:33 -------- d--h--w- C:\ProgramData\Malwarebytes

2011-10-22 23:10:30 25416 ----a-w- C:\windows\System32\drivers\mbam.sys

2011-10-22 23:10:29 -------- d--h--w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-10-19 20:53:08 172080 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS

2011-10-19 20:53:07 -------- d--h--w- C:\Program Files\Symantec

2011-10-19 20:52:58 -------- d--h--w- C:\Program Files\Common Files\Symantec Shared

2011-10-19 20:52:55 -------- d--h--w- C:\Program Files (x86)\Symantec AntiVirus

2011-10-19 20:30:45 -------- d-sh--w- C:\$RECYCLE.BIN

2011-10-19 20:14:32 -------- d--h--w- C:\ProgramData\Toshiba Book Place

2011-10-19 20:14:18 98816 ---ha-w- C:\windows\sed.exe

2011-10-19 20:14:18 518144 ---ha-w- C:\windows\SWREG.exe

2011-10-19 20:14:18 256000 ---ha-w- C:\windows\PEV.exe

2011-10-19 20:14:18 208896 ---ha-w- C:\windows\MBR.exe

2011-10-19 20:14:10 -------- d--h--w- C:\ComboFix

2011-10-18 16:25:26 9049936 ---ha-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D8527372-A237-4EDC-8C17-C8E79B5E5E76}\mpengine.dll

2011-10-18 14:22:22 -------- d-sh--w- C:\windows\SysWow64\%APPDATA%

2011-10-18 14:18:25 20480 ---ha-w- C:\windows\svchost.exe

2011-10-12 18:28:36 3138048 ----a-w- C:\windows\System32\win32k.sys

2011-10-12 18:26:18 75776 ----a-w- C:\windows\SysWow64\psisrndr.ax

2011-10-12 18:26:18 613888 ----a-w- C:\windows\System32\psisdecd.dll

2011-10-12 18:26:18 465408 ----a-w- C:\windows\SysWow64\psisdecd.dll

2011-10-12 18:26:18 108032 ----a-w- C:\windows\System32\psisrndr.ax

2011-10-12 18:25:04 861696 ----a-w- C:\windows\System32\oleaut32.dll

2011-10-12 18:25:04 571904 ----a-w- C:\windows\SysWow64\oleaut32.dll

2011-10-12 18:25:04 331776 ----a-w- C:\windows\System32\oleacc.dll

2011-10-12 18:25:04 233472 ----a-w- C:\windows\SysWow64\oleacc.dll

.

==================== Find3M ====================

.

.

============= FINISH: 18:56:17.14 ===============

[screen317]

Hi,

• Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  
• Execute the file TDSSKiller.exe by double-clicking on it.
  
• Wait for the scan and disinfection process to be over.
  
• When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!