Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Virus problem reposted after initial steps taken as requested

This is a discussion on Virus problem reposted after initial steps taken as requested within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hallo again and thank you so much for taking the time to help it is greatly appreciated x So sorry


 
 
Thread Tools Search this Thread
Old 07-13-2011, 04:17 PM   #1
Registered Member
 
Join Date: Jul 2011
Posts: 30
OS: vista home premium service pack 2



Hallo again and thank you so much for taking the time to help it is greatly appreciated x
So sorry for all the hassle but none of the initial steps has gone to plan

Initial steps taken as follows ~

I could not disable script blocker as I couldn’t navigate to security once I had gotten into internet options tools
Managed to run dds but laptop would not allow me to save as it was so I had to copy and paste results into a web mail program and access from a different computer.
*DDS* TXT FOLLOWS (THE OTHER FILE I CAN PASTE IN AS TEXT IF YOU WANT IT BUT CANNOT ZIP IT DUE TO PC I'M CURRENTLY USING)

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by sp00kyg at 23:36:50 on 2011-07-13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3061.1890 [GMT 1:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\rundll32.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Toshiba\Toshiba Online Product Information\TOPI.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\McAfee Security Scan\2.0.181\McUICnt.exe
C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
mDefault_Page_URL = hxxp://www.google.co.uk
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110519110759.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [HDMICtrlMan] c:\program files\toshiba\hdmictrlman\HDMICtrlMan.exe
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [eBayToolbar] c:\program files\ebay\ebay toolbar2\eBayTBDaemon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\sp00kyg\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - eBay - one of the UK's largest shopping destinations
IE: {8A918C1D-E123-4E36-B562-5C1519E434CE} - Amazon.co.uk: Low Prices in Electronics, Books, Sports Equipment & more
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: learndirect.co.uk\www
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader57.cab
DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} - hxxps://as.photoprintit.de/ips-opdata/activex/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.tescophoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4A9DD519-62CC-44A8-A7C2-761A80113971} : DhcpNameServer = 192.168.1.254
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sp00kyg\appdata\roaming\mozilla\firefox\profiles\d7e1vf9n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: XULRunner: {3EA970E3-C0B0-4299-9A98-D720B94CC395} - c:\users\sp00kyg\appdata\local\{3EA970E3-C0B0-4299-9A98-D720B94CC395}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-12 387480]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-6-22 53816]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-10-12 64584]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-12 165032]
R1 RapportCerberus_26762;RapportCerberus_26762;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\26762\RapportCerberus_26762.sys [2011-6-1 57144]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-6-22 66360]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-6-22 158904]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-6-23 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-10-12 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-10-12 271480]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-10-12 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-10-12 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-10-12 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-12 141792]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-6-23 90112]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-6-22 870200]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-2-8 1153368]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-12 56064]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-2-15 187904]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-2-15 111616]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-10-12 153280]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-10-12 52320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-12 314088]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-1-15 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2009-7-7 43392]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-24 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-12 84488]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-07-13 09:11:59 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-07-13 09:11:43 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-13 09:11:43 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-06-29 15:01:17 276992 ----a-w- c:\windows\system32\schannel.dll
2011-06-28 17:59:10 -------- d-----w- c:\users\sp00kyg\appdata\local\{3D541421-1342-4977-909B-1F8E2668B6A1}
2011-06-22 17:01:26 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-06-19 11:44:55 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-19 11:44:54 141104 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-06-19 11:44:53 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-15 1857 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-15 1833 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 1828 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 1827 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 1823 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 18:05:46 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 18:05:42 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 18:05:41 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 18:05:41 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-15 18:05:35 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-06-15 10:08:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-05-29 08:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 08:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 03:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-06 18:45:31 396288 ----a-w- c:\program files\HijackThis.exe
.
============= FINISH: 23:37:58.45 ===============

I could open my antivirus but not make any changes, it is all showing as fully protected and would not allow me to change it. When my problems first occurred last week it was showing as unprotected and every time I turned it on it went straight off again, I don’t know why this has changed.


With GMER.exe I had no option but to scan or not scan. I could only open by right click open and it started to scan straight away, when I tried to uncheck any of the boxes on the right hand side it just closed down on me. Once scanned it would not allow me to save or copy the results in anyway.

I have a Toshiba laptop 32bit vista home premium service pack 2
I hope this is enough info about the machine


The problems started on the 6th july last week
My daughter was playing cbeebies games last week when the laptop just froze mid game, since then it boots up but I cannot navigate properly with the mouse, I can access the internet but use is limited, windows need to be closed by right click close, links have to be opened by right click open new in new window, email opens but won't function properly, start can only be accessed by pressing the window key. MacAfee scans but shows no virus or freezes before end of scan, malwarebytes did the same or shows no problem, I can't update Antimalware because I cant move along the tabs, I cannot access system restore as it just wont open, I have tried looking for online scans like trend micro but they wont run, and cannot access windows support. I can open my pc and navigate by right click open, I have no idea what to do. The use of websites are very limited when looking for help, i have to shut down via ctrl alt delete then shut down, sometimes this doesn’t work. All above functions are temperamental and the whole machine behaves differently each time I boot up. Sometimes I the curser has a large highlighted blue square that just drags around and it changes size
I would be very glad for any help given, thank you so much for your time


Stevie
(ps i am unable to use this site with the laptop am currently on another machine)
steviev is offline  
Sponsored Links
Advertisement
 
Old 07-15-2011, 06:46 AM   #2
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Hello, Welcome to TSF.
I'm nasdaq and will be helping you.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programs, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.
===

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
===

Download this tool on the infected computer if you can.
if not use a good computer and download the same way you did with the previous tool.

Please download Malwarebytes Anti-Malware and save it to your desktop of the infected computer.[list]
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.

Please let me know if you can connect to the internet with the problem computer in the normal mode.

If not try Safe Mode with Internet Connection.

How to boot to Safe Mode.
Getting into Windows Safe Mode
__________________
nasdaq is offline  
Old 07-15-2011, 09:47 AM   #3
Registered Member
 
Join Date: Jul 2011
Posts: 30
OS: vista home premium service pack 2



This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 15/07/2011 at 17:10:57.
Operating System: Windows Vista (TM) Home Premium

Processes terminated by Rkill or while it was running:
C:\Windows\System32\grpconv.exe

Rkill completed on 15/07/2011 at 17:11:19.
steviev is offline  
Sponsored Links
Advertisement
 
Old 07-15-2011, 10:24 AM   #4
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



What about the Malwarebytes and my questions about Safe Mode?
__________________
nasdaq is offline  
Old 07-15-2011, 10:38 AM   #5
Registered Member
 
Join Date: Jul 2011
Posts: 30
OS: vista home premium service pack 2



hallo and thank you for your time, I'm sorry for the short reply earlier i was just pasting in log results from infected pc, it allowed me to do that but not add any other text. The infected pc does connect to the internet and since using the rkill scan i have been able to update antimalware, it is currently scanning. it would not allow me to scan as administrator nor change the disc preferences to scan or even to do quick scan. It is doing a full scan of c only.
And yes I am able to start it in safe mode. I am currently on the other pc so am able to type this in without problem. I will post results of malware scan as soon as it has finished ...hopefully if i can get access to them
many thanks again
Stevie
steviev is offline  
Old 07-15-2011, 12:45 PM   #6
Registered Member
 
Join Date: Jul 2011
Posts: 30
OS: vista home premium service pack 2



Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7149

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421


15/07/2011 20:08:06
mbam-log-2011-07-15 (20-08-06).txt


Scan type: Full scan (C:\|)
Objects scanned: 339210
Time elapsed: 2 hour(s), 8 minute(s), 29 second(s)


Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0


Memory Processes Infected:
(No malicious items detected)


Memory Modules Infected:
(No malicious items detected)


Registry Keys Infected:
(No malicious items detected)


Registry Values Infected:
(No malicious items detected)


Registry Data Items Infected:
(No malicious items detected)


Folders Infected:
(No malicious items detected)


Files Infected:
(No malicious items detected)


Hope this helps
steviev is offline  
Old 07-15-2011, 12:47 PM   #7
Registered Member
 
Join Date: Jul 2011
Posts: 30
OS: vista home premium service pack 2



This was the log file that came up immediately after scan, i could not gain access to logs once i had closed this report, thank you
steviev is offline  
Old 07-16-2011, 05:07 AM   #8
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



In normal mode download and run this tool. Do it in safe mode if you must.


Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: A guide and tutorial on using ComboFix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


For AVG antivirus and anti-spyware security software users only.
Quote:
Due to recent changes in AVG and how it interacts with CF, AVG must be uninstalled to run ComboFix. You will get a message from CF stating such.

If AVG will not uninstall, it is first recommended to uninstall it with this AppRemover by Opswat. The AVG uninstaller can be downloaded from here > AppRemover.exe Go to their homepage and you will see they have support for removal of other AV's as well AVG appremover tool.
__________________
nasdaq is offline  
Old 07-16-2011, 06:45 AM   #9
Registered Member
 
Join Date: Jul 2011
Posts: 30
OS: vista home premium service pack 2



hi
i have downloaded combo fix to another pc as i cannot download it to the infected laptop. i am trying to turn of tea timer in spybot s&d and macafee but have limited naigated, eery time i try to get into advanced mode on s&d it starts scanning, am now re booting and will keep trying, will not be able to use combo unless i do this? I am able to stop processes via task manager, so if you think this will stop both anti irus products long enough to run combo please will you tell me what processes i need to end to close both programs, hope this makes sense and really sorry to be a pain, i have never had anything like this that prevents navigation so irregularly
Thank u
steviev is offline  
Old 07-16-2011, 07:33 AM   #10
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Forget about the ComboFix tool.
You will not be able to run it with no internet connection.

Download this tool and transfer it to the problem computer. Run it and post the log if you can.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
__________________
nasdaq is offline  
Old 07-16-2011, 08:36 AM   #11
Registered Member
 
Join Date: Jul 2011
Posts: 30
OS: vista home premium service pack 2



hi again,
ok i have downloaded OTL but not to desktop as i had no option to change
I have the program open to scan but cannot change any of the settings unless you can advise me of shortcuts for it. I am able to connect to the internet but have limited use, some items can be downloaded some cannot. Mostly with any program i open i cannot change settings, even if i highlight and click enter, i can probably run a scan but setting as standard output, and all others selected are use safe list. I may be able to get combo fix onto the desktop via sd card, and do have access to net on infected pc but cannot turn off antiirus programs, will wait to hear back from u
Thankyou again for your time
steviev is offline  
Old 07-16-2011, 10:29 AM   #12
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Let see if by running this tool your situation normalizes.

This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes.

Download FixNCR.reg

Once that file is downloaded and saved on a removable devices, insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer. You should now be able to run your normal executable programs and can proceed to the next step.

If you do not have any removable media or another clean computer that you can download the FixNCR.reg file onto, you can try and download it to your infected computer using another method. On the infected computer, right click on the Internet Explorer's icon, or any other browser's icon, and select Run As or Run as Administrator. If you are using Windows XP, you will be prompted to select a user and enter its password. It is suggested that you attempt to login as the Administrator user. For Windows 7 or Windows Vista, you will be prompted to enter your Administrator account password.

Once you enter the password, your browser will start and you can download the above FixNCR.reg file. When saving it, make sure you save it to a folder that can be accessed by your normal account. Remember, that you will be launching the browser as another user, so if you save it to a My Documents folder, it will not be your normal My Documents folder that it is downloaded into. Instead it will be the My Documents folder that belongs to the user you ran the browser as. Once the download has finished, close your browser and find the FixNCR.reg file that you downloaded. Now double-click on it and allow the data to be merged. You should now be able to run your normal executable programs and can proceed to the next step.
===
__________________
nasdaq is offline  
Old 07-16-2011, 11:41 AM   #13
Registered Member
 
Join Date: Jul 2011
Posts: 30
OS: vista home premium service pack 2



I think it worked, message said key successfully added to the registry. It doesnt say anything about merge?
What do u want me to run next? Still behaing same way can only access start by pressing window key
thank u for your continued help and patience
steviev is offline  
Old 07-16-2011, 11:47 AM   #14
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Look in your Firefox Extension (tools menu > Add on > Exstension.

Delete this one it's bad.

FF - Ext: XULRunner: {3EA970E3-C0B0-4299-9A98-D720B94CC395} - c:\users\sp00kyg\appdata\local\{3EA970E3-C0B0-4299-9A98-D720B94CC395}

Any improvement?
__________________
nasdaq is offline  
Old 07-16-2011, 12:35 PM   #15
Registered Member
 
Join Date: Jul 2011
Posts: 30
OS: vista home premium service pack 2



I cant access firefox tools menu, i have tried to find the uxl file by searching, also by looking in program files, what else can i try?
Thank u
steviev is offline  
Old 07-17-2011, 05:38 AM   #16
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



You have a badly infected or corrupted system.

This tool can be downloaded and run locally.

Download the file and transfer it to the problem computer.

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet
  • Double-click on drweb-cureit.exe to start the program.
    An Express Scan of your PC notice will appear.
  • Under Start the Express Scan Now, Click OK to start the scan.
    This is a short scan that will scan the files currently running in memory.
    If something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan tab and UNcheck Heuristic analysis
  • Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  • Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  • When finished, a message will be displayed at the bottom advising if any viruses were found.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found.
    If so, click it, then click the next icon right below and select Move incurable.
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your Desktop.
  • Exit Dr.Web Cureit when you have finished.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Boot to safe mode and run the ComboFix from there.
The ComboFix.exe should be in your Desktop folder. Run it.
__________________
nasdaq is offline  
Old 07-17-2011, 06:21 AM   #17
Registered Member
 
Join Date: Jul 2011
Posts: 30
OS: vista home premium service pack 2



oh dear, i have managed to download it but not to desktop, i can find it in downloads, i have tried to run it the cursor cirlce comes up then nothing happens, i have tried to run as administrator, same, nothing,now ten mins later the laptop screen is flashing as is the cursor arrow, the screen is black but i can just see a warning notice but not enough to read as it keeps goin black, do i leave it for a while see what happens?
steviev is offline  
Old 07-17-2011, 06:50 AM   #18
Registered Member
 
Join Date: Jul 2011
Posts: 30
OS: vista home premium service pack 2



managed to shut it down via ctrl alt delete, will try to scan again
steviev is offline  
Old 07-17-2011, 06:53 AM   #19
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



I do not think I can fix this computer.

I suggest you copy all your important data files and reinstall the operating system.

If you have the installation disk that will help.

You may have been provided with such a disk when you purchased the computer. Of you created the disk when you first got the computer which may restore your computer to the manufacturer's settings.

If not then you need to get it to a qualified technician.

Sorry.
__________________
nasdaq is offline  
Old 07-17-2011, 06:59 AM   #20
Registered Member
 
Join Date: Jul 2011
Posts: 30
OS: vista home premium service pack 2



notice is up says standard or epm scan, cant seem to change it from standard to epm, how do i proceed? thank u
steviev is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Redirecting and virus problems
My computer is redirecting and im sure i have a virus. When i try to run gmer it shuts my computer down even when only checking sections and c drive. Here is the logs that i could get. Thanks in advance. Timmy This is not the same computer as my previous problems. Thanks timmy DDS...
toliver30471 Resolved HJT Threads 21 02-23-2011 05:09 PM
computer freezes redirects to different sites on google
Please help. My computer has been running slow and many times when I upload a page it says it is not responding. The other issue is that when I do a search on google and click on the correct search,it directs me to another soliciting site. I have tried to run GMER both ways and it just will not...
lubo1 Inactive Malware Help Topics 8 02-21-2011 09:28 PM
Browser Redirect Issue
I have been having an issue with both IE and Firefox redirecting Google search results a majority of the time. I had done a scan with Spybot Search & Destroy prior to posting here and "Fraud.WindowsProtectionSuite" (15 entries) and "Microsoft.Windows.RedirectedHosts" (3 entries) were the only...
bob2881 Resolved HJT Threads 21 02-21-2011 06:48 PM
virus problem
After visiting some websites, my system suddenly had a fake anti-virus app asking me to "fix" problems. I did not click any of that. I tried to ctrl alt dlt to close it, but it said something failed, so i couldnt even do that. Somehow, I managed to restart it and hit ctrl alt del before the...
goawaynow Resolved HJT Threads 37 02-19-2011 12:45 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:54 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts