Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

Have a badly infected laptop need help!

This is a discussion on Have a badly infected laptop need help! within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Hi I have been having dramas with my laptop and now I really need help to remove the issues causing


Closed Thread
 
Thread Tools Search this Thread
Old 05-08-2012, 06:45 PM   #1
Registered Member
 
Join Date: May 2012
Posts: 135
OS: windows 7



Hi

I have been having dramas with my laptop and now I really need help to remove the issues causing me major problems. I have AVG anti virus protection installed and when running a scan was being told that I have an infection called Trojan horse hider:MPR

The browser I use is firefox and for some time now I was getting messages telling me that "firefox was trying to be tricked into doing an unsecure update please contact my service provider".

I also get an error message everytime I start my computer saying "There was a problem starting C:\Users\Client\AppData\Local\Temp\utple.dll the specified module could not be found"

When I run a scan using AVG it tells me that the problem is located in the Documents folder. I ran scans on each individual file within this folder and none of them came up as having infections.

I then ran a scan on the client folder on my desktop and it came up with the following 2 infections:

Object name : C:\Users\Client\AppData\Local\jbuetdom\rhmthdtr.exe
Object Threat name : Trojan horse SHeur4.ACMP
Object Type : File
SDK Type : Core
Results : Infected


Object name : C:\Users\Client\0.7897592794586422.exe
Object Treat name : C:\Trojan horse SHeur4
Object Type : File
SDK Type : Core
Results : Infected

I have read through the initial steps that you require me to follow but am unable to do certain tasks as I cant download files to my laptop. I also ran a scan on my external hard drive using AVG and am being told that it also has issues. I dont wont to do anything with my files from my external hard drive or backup my current files using this external hard drive until I have been advised by someone as to whether this drive is infected and can still be saved.

I would really appreciate any help to get my laptop clean and operating properly and learn the steps I need to follow to ensure my safety in the future.

Thanks
Lindsay H
LindsayH is offline  
Sponsored Links
Advertisement
 
Old 05-10-2012, 03:07 PM   #2
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hi LindsayH,

Quote:
I also ran a scan on my external hard drive using AVG and am being told that it also has issues
What is AVG reporting on that external drive? What location(s) contain infection and what infection is it seeing?

Use another computer to download the tools needed, then transfer them to your laptop to run them. I'll have a better idea of what's going on once you post the logs. :)
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-10-2012, 07:24 PM   #3
Registered Member
 
Join Date: May 2012
Posts: 135
OS: windows 7



Hi Ried
Thank you for getting back to me regarding this problem I really appreciate your help. Please forgive me as Im not very tech savy and apologies a head of time if I dont quite understand how to do something. I will do my best to provide you with the information that you need and if I make a mistake I will try my very best to correct it.

I have completed a scan with AVG on my external hard drive and this is the log that it gave me:

Scan "Shell extension scan" completed.
Spyware;"9";"0";"9"
Information;"8"
Folders selected for scanning:;"E:\;"
Scan started:;"Friday, 11 May 2012, 8:50:33 AM"
Scan finished:;"Friday, 11 May 2012, 10:21:10 AM (1 hour(s) 30 minute(s) 36 second(s))"
Total object scanned:;"765801"
User who launched the scan:;"Client"

Spyware
;"File";"Infection";"Result"
;"E:\CLIENT-PC\Backup Set 2011-04-24 115114\Backup Files 2011-04-24 115114\Backup files 91.zip:\C\Users\Client\Downloads\AffiliateMonSoftware79.zip:\Z1D4\FAM Brander\FAM Software Brander.msi:\_D064E6A53C5805835DE6A548B9E5FF48:\_7EE0BA3B2665F3D3ED3C2BCFF85C4247";"Potentially harmful program Tool.LN";"Potentially dangerous object"
;"E:\CLIENT-PC\Backup Set 2011-04-24 115114\Backup Files 2011-04-24 115114\Backup files 91.zip:\C\Users\Client\Downloads\AffiliateMonSoftware79.zip:\Z1D4\FAM Brander\FAM Software Brander.msi:\_D064E6A53C5805835DE6A548B9E5FF48";"Potentially harmful program Tool.LN";"Potentially dangerous object"
;"E:\CLIENT-PC\Backup Set 2011-04-24 115114\Backup Files 2011-04-24 115114\Backup files 91.zip:\C\Users\Client\Downloads\AffiliateMonSoftware79.zip:\Z1D4\FAM Brander\FAM Software Brander.msi";"Potentially harmful program Tool.LN";"Potentially dangerous object"
;"E:\CLIENT-PC\Backup Set 2011-04-24 115114\Backup Files 2011-04-24 115114\Backup files 91.zip:\C\Users\Client\Downloads\AffiliateMonSoftware79.zip";"Potentially harmful program Tool.LN";"Potentially dangerous object"
;"E:\CLIENT-PC\Backup Set 2011-04-24 115114\Backup Files 2011-04-24 115114\Backup files 91.zip";"Potentially harmful program Tool.LN";"Potentially dangerous object"
;"E:\CLIENT-PC\Backup Set 2011-04-24 115114\Backup Files 2011-04-24 115114\Backup files 67.zip:\C\Users\Client\Documents\Affiliate files\TrafficAuto54h7ud8.zip:\TrafficAutomation\Traffic Automation.exe:\{app}\decaptcher.dll";"Potentially harmful program Tool.LN";"Potentially dangerous object"
;"E:\CLIENT-PC\Backup Set 2011-04-24 115114\Backup Files 2011-04-24 115114\Backup files 67.zip:\C\Users\Client\Documents\Affiliate files\TrafficAuto54h7ud8.zip:\TrafficAutomation\Traffic Automation.exe";"Potentially harmful program Tool.LN";"Potentially dangerous object"
;"E:\CLIENT-PC\Backup Set 2011-04-24 115114\Backup Files 2011-04-24 115114\Backup files 67.zip:\C\Users\Client\Documents\Affiliate files\TrafficAuto54h7ud8.zip";"Potentially harmful program Tool.LN";"Potentially dangerous object"
;"E:\CLIENT-PC\Backup Set 2011-04-24 115114\Backup Files 2011-04-24 115114\Backup files 67.zip";"Potentially harmful program Tool.LN";"Potentially dangerous object"

Information
;"File";"Information";"Result"
;"E:\CLIENT-PC\Backup Set 2011-04-24 115114\Backup Files 2011-04-24 115114\Backup files 18.zip:\C\Program Files\TOSHIBA\TOSAPINS\COMPS1\Corel DVD MovieFactory for TOSHIBA-7.00.40266.0\TC00224100A.exe:\Corel DVD MovieFactory.msi:\ISSetupFile.SetupFile16";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""
;"E:\CLIENT-PC\Backup Set 2011-04-24 115114\Backup Files 2011-04-24 115114\Backup files 18.zip:\C\Program Files\TOSHIBA\TOSAPINS\COMPS1\Corel DVD MovieFactory for TOSHIBA-7.00.40266.0\TC00224100A.exe:\Corel DVD MovieFactory.msi";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""
;"E:\CLIENT-PC\Backup Set 2011-04-24 115114\Backup Files 2011-04-24 115114\Backup files 18.zip:\C\Program Files\TOSHIBA\TOSAPINS\COMPS1\Corel DVD MovieFactory for TOSHIBA-7.00.40266.0\TC00224100A.exe";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""
;"E:\CLIENT-PC\Backup Set 2011-04-24 115114\Backup Files 2011-04-24 115114\Backup files 18.zip";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""
;"E:\CLIENT-PC\Backup Set 2010-09-18 142146\Backup Files 2010-09-18 142146\Backup files 17.zip:\C\Program Files\TOSHIBA\TOSAPINS\COMPS1\Corel DVD MovieFactory for TOSHIBA-7.00.40266.0\TC00224100A.exe:\Corel DVD MovieFactory.msi:\ISSetupFile.SetupFile16";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""
;"E:\CLIENT-PC\Backup Set 2010-09-18 142146\Backup Files 2010-09-18 142146\Backup files 17.zip:\C\Program Files\TOSHIBA\TOSAPINS\COMPS1\Corel DVD MovieFactory for TOSHIBA-7.00.40266.0\TC00224100A.exe:\Corel DVD MovieFactory.msi";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""
;"E:\CLIENT-PC\Backup Set 2010-09-18 142146\Backup Files 2010-09-18 142146\Backup files 17.zip:\C\Program Files\TOSHIBA\TOSAPINS\COMPS1\Corel DVD MovieFactory for TOSHIBA-7.00.40266.0\TC00224100A.exe";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""
;"E:\CLIENT-PC\Backup Set 2010-09-18 142146\Backup Files 2010-09-18 142146\Backup files 17.zip";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""





I also ran AVG on the client folder on my desktop which gave me this log:

Scan "Shell extension scan" completed.
Infections;"1";"0";"1"
Folders selected for scanning:;"C:\Users\Client;"
Scan started:;"Friday, 11 May 2012, 10:27:49 AM"
Scan finished:;"Friday, 11 May 2012, 11:15:19 AM (47 minute(s) 30 second(s))"
Total object scanned:;"136075"
User who launched the scan:;"Client"

Infections
;"File";"Infection";"Result"
;"C:\Users\Client\0.7897592794586422.exe";"Trojan horse SHeur4.ACMP";"Infected"



I downloaded the files that where needed for the initial steps.

This is the log from the DDS scan:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Client at 11:26:15 on 2012-05-11
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.64.1033.18.2909.1311 [GMT 10:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\AVG\AVG2012\avgfws.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe
C:\windows\system32\hasplms.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TECO\TEco.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\windows\system32\igfxsrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Users\Client\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\TechSmith\Jing\Jing.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\conhost.exe
C:\windows\system32\java.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\WUDFHost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Updater For Spam Free Search Bar: {20a0be68-8fd9-4539-8712-ce3d1c1fdfc6} - c:\program files\blekkotb\auxi\blekkoAu.dll
BHO: Spam Free Search Bar: {26c9e18c-3717-4be1-a225-04e4471f5b6e} - c:\program files\blekkotb\blekkoDx.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Wisdom-soft toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWisd.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mif5ba~1\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: TheBflix Class: {eeddbc78-69c9-4083-9fda-2a7aec1f1b0a} - c:\programdata\thebflix\bhoclass.dll
TB: Wisdom-soft toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWisd.dll
TB: Spam Free Search Bar: {26c9e18c-3717-4be1-a225-04e4471f5b6e} - c:\program files\blekkotb\blekkoDx.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Google Update] "c:\users\client\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [Easy-Hide-IP] c:\program files\easy-hide-ip\easy-hide-ip.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
uRun: [Vagex] c:\users\client\desktop\uk chiropractors i have emailed\vagex\Vagex.exe
mRun: [<NO NAME>]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUP
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
mRun: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
mRun: [ToshibaServiceStation] c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe /hide:60
mRun: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
mRun: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe
mRun: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Anti-phishing Domain Advisor] "c:\programdata\anti-phishing domain advisor\visicom_antiphishing.exe"
mRun: [utple] rundll32.exe "c:\users\client\appdata\local\temp\utple.dll",LoadFile
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
StartupFolder: c:\users\client\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\onlywire.lnk - c:\program files\onlywire\OnlyWireWindows.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: c:\windows\system32\EasyRedirect.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.0.0.138
TCP: Interfaces\{E0C2CD75-3E62-4070-B2AE-8A986F6BBC8E} : DhcpNameServer = 10.0.0.138
TCP: Interfaces\{EA6C7FF2-C072-46A2-BB1E-F83C9B7B2504} : DhcpNameServer = 10.0.0.138
TCP: Interfaces\{EA6C7FF2-C072-46A2-BB1E-F83C9B7B2504}\24967605F6E64613732313 : DhcpNameServer = 10.0.0.138
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
IFEO: image file execution options - svchost.exe
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2011-5-23 47968]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 avgfws;AVG Firewall;c:\program files\avg\avg2012\avgfws.exe [2012-3-23 2321520]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 EasyRedirect;EasyRedirect;c:\program files\easy-hide-ip\rdr\EasyRedirect.exe [2012-3-26 3325768]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 RSELSVC;TOSHIBA Modem region select service;c:\program files\toshiba\rselect\RSelSvc.exe [2009-7-8 62832]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-3-23 2886528]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-8-11 181616]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-6-20 12920]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2009-10-14 24064]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-11-27 233472]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-11-5 376832]
R3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-10-14 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-8-4 111960]
R3 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2009-8-7 685424]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 CTMFLT;VNUSB;c:\windows\system32\svchost.exe -k netsvcs [2009-7-14 20992]
S2 DivisCTS;Zebrbus;c:\windows\system32\svchost.exe -k netsvcs [2009-7-14 20992]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S2 symantecantibotdriver;Pnkbstra;c:\windows\system32\svchost.exe -k netsvcs [2009-7-14 20992]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-11 253600]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-16 52224]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2012\TuneUpUtilitiesDriver32.sys [2011-12-12 10064]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-10 1343400]
S4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2012\TuneUpUtilitiesService32.exe [2011-12-14 1514304]
.
=============== Created Last 30 ================
.
2012-05-07 22:37:02 -------- d-----w- c:\users\client\appdata\local\jbuetdom
2012-05-07 22:36:59 85940 ----a-w- c:\users\client\0.7897592794586422.exe
2012-05-01 07:33:54 -------- d-----w- c:\users\client\appdata\local\{B0456B14-9ECF-4C6E-B036-00B6CFBC2201}
2012-04-28 00:30:51 -------- d-----w- c:\users\client\appdata\local\{F91F1089-F11F-41D1-91EC-3C2F1FAE2809}
2012-04-25 10:28:49 -------- d-----w- c:\users\client\dwhelper
2012-04-24 00:32:10 -------- d-----w- c:\users\client\appdata\roaming\AVG2012
2012-04-24 00:30:17 -------- d-----w- c:\windows\system32\drivers\AVG
2012-04-24 00:30:17 -------- d-----w- c:\programdata\AVG2012
2012-04-24 00:24:57 -------- d--h--w- c:\programdata\Common Files
2012-04-24 00:24:16 -------- d-----w- c:\programdata\MFAData
2012-04-24 00:19:58 3903528 ----a-w- C:\avg_isct_stb_all_2012_1873_cnet.exe
2012-04-23 23:57:22 -------- d-----w- c:\programdata\AMMYY
2012-04-23 21:38:45 -------- d-----w- c:\users\client\appdata\roaming\Wulixu
2012-04-23 21:38:45 -------- d-----w- c:\users\client\appdata\roaming\Nasyhia
2012-04-22 21:33:26 -------- d-----w- c:\users\client\appdata\roaming\Idzyha
2012-04-22 21:33:26 -------- d-----w- c:\users\client\appdata\roaming\Aciq
2012-04-22 12:30:59 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-04-22 12:29:48 -------- d-----w- c:\users\client\appdata\local\Region
2012-04-20 15:18:49 -------- d-----w- c:\users\client\appdata\roaming\UBot Studio
2012-04-20 15:04:23 -------- d-----w- C:\Wiki Master Blaster Pro
2012-04-19 10:54:49 -------- d-----w- c:\users\client\appdata\local\{1DEA0E7B-8A0E-11E1-826D-B8AC6F996F26}
2012-04-19 10:54:49 -------- d-----w- c:\users\client\appdata\local\{1DE9DB36-8A0E-11E1-826D-B8AC6F996F26}
2012-04-19 10:53:37 -------- d-----w- c:\programdata\529C50D80004033B001F5C4BB4EB23C1
2012-04-19 10:53:27 -------- d-----w- c:\program files\common files\Region
2012-04-18 18:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-11 12:14:54 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 12:14:54 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 12:14:54 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 12:14:53 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 12:13:55 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-11 12:13:55 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
.
==================== Find3M ====================
.
2012-04-10 21:57:56 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-10 21:57:55 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-18 19:17:28 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-02-28 22:25:01 60304 ----a-w- c:\users\client\g2mdlhlpx.exe
2012-02-28 03:23:02 360264 ----a-w- c:\windows\system32\EasyRedirect.dll
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-21 19:25:32 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-14 02:09:44 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
============= FINISH: 11:28:19.46 ===============




And here is the log from the GMER scan. I did have issues doing this scan so I had to untick all the boxes except sections and run the scan like that:

GMER 1.0.15.15641 - GMER - Rootkit Detector and Remover
Rootkit scan 2012-05-11 11:41:46
Windows 6.1.7601 Service Pack 1
Running: j8t538rs.exe; Driver: C:\Users\Client\AppData\Local\Temp\pwrirpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13C1 82C51359 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C8AD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 82C91E94 3 Bytes [F1, 3F, C1]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1357 82C9202C 8 Bytes [04, 80, 51, 95, D4, 80, 51, ...] {ADD AL, 0x80; PUSH ECX; XCHG EBP, EAX; AAM 0x80; PUSH ECX; XCHG EBP, EAX}
.text ntkrnlpa.exe!KeRemoveQueueEx + 137F 82C92054 3 Bytes [F6, 3F, C1]
.text ntkrnlpa.exe!KeRemoveQueueEx + 139F 82C92074 4 Bytes [76, 7D, 51, 95] {JBE 0x7f; PUSH ECX; XCHG EBP, EAX}
.text ntkrnlpa.exe!KeRemoveQueueEx + 166F 82C92344 8 Bytes [1E, 7E, 51, 95, BA, 7E, 51, ...]
.text ...
.text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8B136000, 0x3C849, 0xE8000020]
.dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8B17B000, 0x3DC, 0x48000040]
.text C:\windows\system32\DRIVERS\aksfridge.sys section is writeable [0x954BF000, 0x47E35, 0xE0000020]
.init C:\windows\system32\DRIVERS\aksfridge.sys entry point in ".init" section [0x95513224]
.init C:\windows\system32\DRIVERS\aksfridge.sys unknown last code section [0x95513000, 0x4000, 0xE20000E0]
.text C:\windows\system32\drivers\hardlock.sys section is writeable [0x9551A400, 0x6E6E2, 0xE8000020]
.protect’’’’hardlockentry point in ".protect’’’’hardlockentry point in ".protect’’’’hardlockentry point in ".p" section [0x955A4820] C:\windows\system32\drivers\hardlock.sys entry point in ".protect’’’’hardlockentry point in ".protect’’’’hardlockentry point in ".p" section [0x955A4820]
.protect’’’’hardlockunknown last code section [0x955A4600, 0x512A, 0xE0000020] C:\windows\system32\drivers\hardlock.sys unknown last code section [0x955A4600, 0x512A, 0xE0000020]
? C:\Users\Client\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\TechSmith\Jing\Jing.exe[3612] WS2_32.dll!getaddrinfo 75864296 5 Bytes JMP 046CE8E0 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\TechSmith\Jing\Jing.exe[3612] WS2_32.dll!GetAddrInfoW 75864889 5 Bytes JMP 046CE390 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\TechSmith\Jing\Jing.exe[3612] WS2_32.dll!FreeAddrInfoW 75864B1B 5 Bytes JMP 046CE330 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\TechSmith\Jing\Jing.exe[3612] WS2_32.dll!gethostbyname 75877673 5 Bytes JMP 046CEE90 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] kernel32.dll!CreateThread 7738DCC2 5 Bytes JMP 6ABA72FB C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!EnableWindow 77168D02 5 Bytes JMP 6ABE9A14 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!DefWindowProcA 7716BB1C 7 Bytes JMP 6ABA9525 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!CreateWindowExA 7716BF40 5 Bytes JMP 6ABB335B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!CreateWindowExW 7716EC7C 5 Bytes JMP 6AC0FF8F C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!DefWindowProcW 7717507D 7 Bytes JMP 6AC07C1A C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!DialogBoxParamW 77183B9B 5 Bytes JMP 6AB4170B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!DialogBoxIndirectParamW 77193B7F 5 Bytes JMP 6AD3640E C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!DialogBoxParamA 771ACF42 5 Bytes JMP 6AD363A9 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!DialogBoxIndirectParamA 771AD274 5 Bytes JMP 6AD36473 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!MessageBoxIndirectA 771BE869 5 Bytes JMP 6AD36330 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!MessageBoxIndirectW 771BE963 5 Bytes JMP 6AD362B7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!MessageBoxExA 771BE9C9 5 Bytes JMP 6AD36253 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!MessageBoxExW 771BE9ED 5 Bytes JMP 6AD361EF C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] ole32.dll!OleLoadFromStream 76A76143 5 Bytes JMP 6AD36BE7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] WS2_32.dll!getaddrinfo 75864296 5 Bytes JMP 00A9E8E0 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] WS2_32.dll!WSASend 75864406 6 Bytes JMP 719D0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] WS2_32.dll!GetAddrInfoW 75864889 5 Bytes JMP 00A9E390 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] WS2_32.dll!FreeAddrInfoW 75864B1B 5 Bytes JMP 00A9E330 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] WS2_32.dll!WSALookupServiceNextW 75864CBC 6 Bytes JMP 71A90F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] WS2_32.dll!WSALookupServiceEnd 75865239 6 Bytes JMP 71A60F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] WS2_32.dll!WSALookupServiceBeginW 7586575A 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] WS2_32.dll!recv 75866B0E 6 Bytes JMP 71A00F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] WS2_32.dll!send 75866F01 6 Bytes JMP 71A30F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] WS2_32.dll!WSARecv 75867089 6 Bytes JMP 719A0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] WS2_32.dll!WSAGetOverlappedResult 75867489 6 Bytes JMP 71970F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] WS2_32.dll!gethostbyname 75877673 5 Bytes JMP 00A9EE90 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5248] WS2_32.dll!getaddrinfo 75864296 5 Bytes JMP 1002E8E0 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5248] WS2_32.dll!GetAddrInfoW 75864889 5 Bytes JMP 1002E390 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5248] WS2_32.dll!FreeAddrInfoW 75864B1B 5 Bytes JMP 1002E330 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5248] WS2_32.dll!gethostbyname 75877673 5 Bytes JMP 1002EE90 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] kernel32.dll!CreateThread 7738DCC2 5 Bytes JMP 6ABA72FB C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] USER32.dll!EnableWindow 77168D02 5 Bytes JMP 6ABE9A14 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] USER32.dll!DefWindowProcA 7716BB1C 7 Bytes JMP 6ABA9525 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] USER32.dll!CreateWindowExA 7716BF40 5 Bytes JMP 6ABB335B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] USER32.dll!CreateWindowExW 7716EC7C 5 Bytes JMP 6AC0FF8F C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] USER32.dll!DefWindowProcW 7717507D 7 Bytes JMP 6AC07C1A C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] USER32.dll!DialogBoxParamW 77183B9B 5 Bytes JMP 6AB4170B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] USER32.dll!DialogBoxIndirectParamW 77193B7F 5 Bytes JMP 6AD3640E C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] USER32.dll!DialogBoxParamA 771ACF42 5 Bytes JMP 6AD363A9 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] USER32.dll!DialogBoxIndirectParamA 771AD274 5 Bytes JMP 6AD36473 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] USER32.dll!MessageBoxIndirectA 771BE869 5 Bytes JMP 6AD36330 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] USER32.dll!MessageBoxIndirectW 771BE963 5 Bytes JMP 6AD362B7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] USER32.dll!MessageBoxExA 771BE9C9 5 Bytes JMP 6AD36253 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] USER32.dll!MessageBoxExW 771BE9ED 5 Bytes JMP 6AD361EF C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] ole32.dll!OleLoadFromStream 76A76143 5 Bytes JMP 6AD36BE7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] WS2_32.dll!getaddrinfo 75864296 5 Bytes JMP 00A8E8E0 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] WS2_32.dll!WSASend 75864406 6 Bytes JMP 719D0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] WS2_32.dll!GetAddrInfoW 75864889 5 Bytes JMP 00A8E390 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] WS2_32.dll!FreeAddrInfoW 75864B1B 5 Bytes JMP 00A8E330 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] WS2_32.dll!WSALookupServiceNextW 75864CBC 6 Bytes JMP 71A90F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] WS2_32.dll!WSALookupServiceEnd 75865239 6 Bytes JMP 71A60F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] WS2_32.dll!WSALookupServiceBeginW 7586575A 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] WS2_32.dll!recv 75866B0E 6 Bytes JMP 71A00F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] WS2_32.dll!send 75866F01 6 Bytes JMP 71A30F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] WS2_32.dll!WSARecv 75867089 6 Bytes JMP 719A0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] WS2_32.dll!WSAGetOverlappedResult 75867489 6 Bytes JMP 71970F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[6608] WS2_32.dll!gethostbyname 75877673 5 Bytes JMP 00A8EE90 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] kernel32.dll!CreateThread 7738DCC2 5 Bytes JMP 6ABA72FB C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] USER32.dll!EnableWindow 77168D02 5 Bytes JMP 6ABE9A14 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] USER32.dll!DefWindowProcA 7716BB1C 7 Bytes JMP 6ABA9525 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] USER32.dll!CreateWindowExA 7716BF40 5 Bytes JMP 6ABB335B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] USER32.dll!CreateWindowExW 7716EC7C 5 Bytes JMP 6AC0FF8F C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] USER32.dll!DefWindowProcW 7717507D 7 Bytes JMP 6AC07C1A C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] USER32.dll!DialogBoxParamW 77183B9B 5 Bytes JMP 6AB4170B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] USER32.dll!DialogBoxIndirectParamW 77193B7F 5 Bytes JMP 6AD3640E C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] USER32.dll!DialogBoxParamA 771ACF42 5 Bytes JMP 6AD363A9 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] USER32.dll!DialogBoxIndirectParamA 771AD274 5 Bytes JMP 6AD36473 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] USER32.dll!MessageBoxIndirectA 771BE869 5 Bytes JMP 6AD36330 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] USER32.dll!MessageBoxIndirectW 771BE963 5 Bytes JMP 6AD362B7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] USER32.dll!MessageBoxExA 771BE9C9 5 Bytes JMP 6AD36253 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] USER32.dll!MessageBoxExW 771BE9ED 5 Bytes JMP 6AD361EF C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] ole32.dll!OleLoadFromStream 76A76143 5 Bytes JMP 6AD36BE7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] WS2_32.dll!getaddrinfo 75864296 5 Bytes JMP 0220E8E0 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] WS2_32.dll!WSASend 75864406 6 Bytes JMP 719D0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] WS2_32.dll!GetAddrInfoW 75864889 5 Bytes JMP 0220E390 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] WS2_32.dll!FreeAddrInfoW 75864B1B 5 Bytes JMP 0220E330 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] WS2_32.dll!WSALookupServiceNextW 75864CBC 6 Bytes JMP 71A90F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] WS2_32.dll!WSALookupServiceEnd 75865239 6 Bytes JMP 71A60F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] WS2_32.dll!WSALookupServiceBeginW 7586575A 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] WS2_32.dll!recv 75866B0E 6 Bytes JMP 71A00F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] WS2_32.dll!send 75866F01 6 Bytes JMP 71A30F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] WS2_32.dll!WSARecv 75867089 6 Bytes JMP 719A0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] WS2_32.dll!WSAGetOverlappedResult 75867489 6 Bytes JMP 71970F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[8156] WS2_32.dll!gethostbyname 75877673 5 Bytes JMP 0220EE90 C:\windows\system32\EasyRedirect.dll (EasyRedirect.dll/EasyTech)

---- EOF - GMER 1.0.15 ----




I also have the Attach.txt log but have been unable to put it in a zip file here is the log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 20/01/2010 3:18:56 AM
System Uptime: 11/05/2012 8:46:58 AM (3 hours ago)
.
Motherboard: TOSHIBA | | KSWAA
Processor: Intel(R) Celeron(R) CPU 900 @ 2.20GHz | U2E1 | 2194/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 137 GiB total, 77.367 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 932 GiB total, 797.15 GiB free.
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP379: 21/04/2012 1:00:55 AM - Installed Wiki Master Blaster Pro
RP380: 21/04/2012 1:04:12 AM - Installed Wiki Master Blaster Pro
RP381: 24/04/2012 10:19:20 AM - Global IT
RP382: 24/04/2012 10:28:19 AM - Installed AVG 2012
RP383: 24/04/2012 10:28:45 AM - Installed AVG 2012
RP384: 8/05/2012 3:12:28 PM - Removed Wiki Master Blaster Pro
RP385: 9/05/2012 9:14:56 AM - Removed Private Proxy
.
==== Installed Programs ======================
.
7-Zip 9.12 beta
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
Anti-phishing Domain Advisor
Apple Application Support
Apple Software Update
AVG 2012
Business Contact Manager for Outlook 2007 SP2
Camtasia Studio 7
CCleaner
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Digi Traffic Accelerator
Direct DiscRecorder
DVD MovieFactory for TOSHIBA
Easy-Hide-IP 4.1.4.1
FileZilla Client 3.5.3
FlashFXP v3
Google Chrome
Google Talk Plugin
Google Update Helper
GoToMeeting 5.1.0.880
Instant Article Suite v1.10
Instant Video Articles v1.03
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java Auto Updater
Java(TM) 6 Update 29
Jing
Keyword Blaze
Keyword Blueprint 2
KeywordAdvantage
KeywordOptimizerPro
KompoZer 0.8b3
Link Partner Analyzer
Localphone version 1.1.0
LSI V92 MOH Application
Macromedia Fireworks MX 2004
Magic Submitter version 2.23
Micro Niche Finder 5.0
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Excel Viewer 2003
Microsoft Office Home and Student 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2010
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MiracleTrafficBot
MozBackup 1.4.10
Mozilla Thunderbird 11.0.1 (x86 en-US)
MSVCRT
OGA Notifier 2.0.0048.0
OnlyWire
OpenOffice.org 3.2
PADGen 3.1.1.50
Paint.NET v3.5.8
Ping Machine
PlayReady PC Runtime x86
Power SEO Ranker v1.1
QuickTime
Realtek 8136 8168 8169 Ethernet Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Realtek WLAN Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition
SEO SpyGlass
Skype Click to Call
Skype™ 5.8
Spam Free Search Bar
Synaptics Pointing Device Driver
TeamViewer 7
Technology 21 V4.05.05
Technology 21 V4.05.12 Update
Technology 21 V4.05.13 Update
TheBestSpinner
TheBestSpinner3
TheBflix
TOSHIBA Assist
TOSHIBA Bulletin Board
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA eco Utility
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Flash Cards Support Utility
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
TOSHIBA Internal Modem Region Select Utility
TOSHIBA PC Health Monitor
TOSHIBA Recovery Media Creator
TOSHIBA ReelTime
TOSHIBA SD Memory Utilities
TOSHIBA Service Station
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
Traffic Travis 3.3.28
TuneUp Utilities 2012
TuneUp Utilities Language Pack (en-US)
Uniblue SpeedUpMyPC 3
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Utility Common Driver
Viewet
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Web 2.0 Mayhem 1.0.7.0
Windows Driver Package - 2Wire (2WIREPCP) Net (03/22/2007 2.0)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinZip 14.0
Wisdom-soft Toolbar
Wondershare Video Converter Platinum(Build 5.1.2.0)
.
==== End Of File ===========================



I hope that this information is what you need and that I have presented it correctly for you to use.

Once again please forgive me if I have done something wrong and bare with me on my lack of technical ability. I really do appreciate all your help and look forward to hearing from you soon.

Many Thanks
LindsayH
LindsayH is offline  
Sponsored Links
Advertisement
 
Old 05-10-2012, 08:15 PM   #4
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



This is perfect, LindsayH. Thanks

The detections on the external drive are not necessarily infections. As you can see by the location and file names, AVG is flagging backups you created. All of those programs listed are legit and signed MS files, but file signature is broken. That seems to be a common occurence with AVG beginning with their version 9.0 and above. I wouldn't be too concerned about those at the moment, although you will want to create a fresh backup when we're through.

It is safe to backup any documents, pictures, music to that external drive.

===============================

You are infected with a particularly nasty infection most commonly known as ZAccess. Before we proceed with removal, I'll need to gather a bit more info so I can see if master boot record is involved or not, and so I know ahead of time, which file(s) are patched. Same as you did before, use another computer to download this next tool to a flash drive. Transfer the tool to the laptop and run it exactly as instructed below:

Download TDSSKiller.exe and save it to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-10-2012, 09:07 PM   #5
Registered Member
 
Join Date: May 2012
Posts: 135
OS: windows 7



Hi Ried
I have done a scan and it came up with no treats found. I clicked on the report tab but it wont let me save the log.

I have also copied my documents etc onto my hard drive as instructed.

Cheers
LindsayH
LindsayH is offline  
Old 05-10-2012, 09:12 PM   #6
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



The scan results are automatically saved to a file on the C:\ drive. If you click Start>Computer and double click the C:\ drive, you'll see the contents of the drive listed alphabetically, folders first then files. Scroll down and look for a filename that begins with TDSSKiller. Even though no threats were found, please copy/paste the contents of that report for me. :)
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-10-2012, 09:19 PM   #7
Registered Member
 
Join Date: May 2012
Posts: 135
OS: windows 7



Hi Ried
Thanks for that. Here is the log, i tried to paste it into the thread but its telling me its to long so I have attached the notepad file.

Cheers
LindsayH
Attached Files
File Type: txt TDSSKiller.2.7.34.0_11.05.2012_14.02.01_log.txt (259.9 KB, 61 views)
LindsayH is offline  
Old 05-10-2012, 09:22 PM   #8
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Good work, thanks.

Now we can get started. Same as before, use another computer to download the next tool and transfer it to the desktop of the laptop.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-10-2012, 09:42 PM   #9
Registered Member
 
Join Date: May 2012
Posts: 135
OS: windows 7



Hi Ried
Just doing that scan now its taking a bit of time so ill get it to you asap. I am working from my pc but to be honest Im not sure if this is in fected to so I was going to get that checked as well. Will I need to start a new thread as I dont want to jump the queue as I understand there are other people wanting your time. I work through the net so I just want to be sure that both my machines are clean.

Cheers
LindsayH
LindsayH is offline  
Old 05-10-2012, 09:45 PM   #10
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



In this case, I don't consider posting for a second machine on-site, as jumping the queue.

Please do begin a new thread for the other machine. Entitle it 'Ried - PC2' so no one else grabs it. Let me know when you've done that and I'll review the logs.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-10-2012, 09:46 PM   #11
Registered Member
 
Join Date: May 2012
Posts: 135
OS: windows 7



Hi Ried
During the scan it came telling me it detected a rootkit then it told me to reboot the computer so I did I hope thats right and its now scanning again.

Cheers
LindsayH
LindsayH is offline  
Old 05-10-2012, 09:48 PM   #12
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



I expected that it would. It said it detected Rootkit Zero Access, correct?

Yes, follow all prompts ComboFix gives you.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-10-2012, 09:50 PM   #13
Registered Member
 
Join Date: May 2012
Posts: 135
OS: windows 7



Hi Ried
Thank you ok I will do that, I think its night time where you are so it may not be until later that I post it so I understand you wont deal with it straight away. Anytime you can deal with it would be great.

Cheers
LindsayH
LindsayH is offline  
Old 05-10-2012, 09:56 PM   #14
Registered Member
 
Join Date: May 2012
Posts: 135
OS: windows 7



Hi Ried
Before I started the scan I disabled my AVG until restart but the scan rebooted my computer so does that mean that this scan is no good because the reboot ment that AVG was activated again. I hope that makes sense?

Cheers
LindsayH
LindsayH is offline  
Old 05-10-2012, 09:57 PM   #15
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



It makes sense, and it's okay. See if you can disable AVG while ComboFix is finishing up - it'll go much quicker if you can.

And yes it is very late here and I will be calling it a night soon. Trying to stick around til you post the ComboFix.txt and review that for you. :)
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-10-2012, 10:02 PM   #16
Registered Member
 
Join Date: May 2012
Posts: 135
OS: windows 7



Hi Ried
Sorry to keep you up late, I think its almost done !
LindsayH is offline  
Old 05-10-2012, 10:11 PM   #17
Registered Member
 
Join Date: May 2012
Posts: 135
OS: windows 7



Hi Ried
Here is the log attached .
Cheers
LindsayH

ComboFix 12-05-11.02 - Client 11/05/2012 14:44:36.1.1 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.64.1033.18.2909.1839 [GMT 10:00]
Running from: c:\users\Client\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\4e38e4
c:\programdata\4e38e4\472880.reg
c:\programdata\4e38e4\564.mof
c:\programdata\4e38e4\abc64fefb25de5835319eaeefd8e0336.ocx
c:\programdata\4e38e4\BackUp\McAfee Security Scan Plus.lnk
c:\programdata\4e38e4\BackUp\OneNote 2010 Screen Clipper and Launcher.lnk
c:\programdata\4e38e4\ISE.ico
c:\programdata\4e38e4\mcp.ico
c:\programdata\4e38e4\mozcrt19.dll
c:\programdata\4e38e4\sqlite3.dll
c:\programdata\4e38e4\xrglsvagbnfgokd.dll
c:\programdata\AMMYY
c:\programdata\AMMYY\hr
c:\programdata\AMMYY\hr3
c:\programdata\AMMYY\settings3.bin
c:\programdata\ntuser.dat
c:\programdata\TheBflix
c:\programdata\TheBflix\background.html
c:\programdata\TheBflix\bhoclass.dll
c:\programdata\TheBflix\content.js
c:\programdata\TheBflix\data\content.js
c:\programdata\TheBflix\data\jsondb.js
c:\programdata\TheBflix\fgnippahjheicjenccifemomfgjofdhp.crx
c:\programdata\TheBflix\settings.ini
c:\programdata\TheBflix\uninstall.exe
c:\programdata\xp
c:\programdata\xp\EBLib.dll
c:\programdata\xp\TPwSav.sys
c:\users\Client\0.7897592794586422.exe
c:\users\Client\AppData\Local\fxnmyulp.log
c:\users\Client\AppData\Local\hthjltoh.log
c:\users\Client\AppData\Local\lfvnocje.log
c:\users\Client\AppData\Local\tytybcky.log
c:\users\Client\AppData\Local\uymoyjkp.log
c:\users\Client\AppData\Local\xrkgkxtt.log
c:\users\Client\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
c:\users\Client\AppData\Roaming\Microsoft\Windows\Recent\cb.exe
c:\users\Client\AppData\Roaming\Microsoft\Windows\Recent\CLSV.tmp
c:\users\Client\AppData\Roaming\Microsoft\Windows\Recent\delfile.drv
c:\users\Client\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
c:\users\Client\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
c:\users\Client\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.sys
c:\users\Client\AppData\Roaming\Microsoft\Windows\Recent\tjd.sys
c:\users\Client\g2mdlhlpx.exe
c:\windows\$NtUninstallKB49330$
c:\windows\$NtUninstallKB49330$\1703730539
c:\windows\$NtUninstallKB49330$\3296855088\@
c:\windows\$NtUninstallKB49330$\3296855088\cfg.ini
c:\windows\$NtUninstallKB49330$\3296855088\Desktop.ini
c:\windows\$NtUninstallKB49330$\3296855088\L\xadqgnnk
c:\windows\$NtUninstallKB49330$\3296855088\U\[email protected]
c:\windows\$NtUninstallKB49330$\3296855088\U\[email protected]
c:\windows\$NtUninstallKB49330$\3296855088\U\[email protected]
c:\windows\$NtUninstallKB49330$\3296855088\U\[email protected]
c:\windows\$NtUninstallKB49330$\3296855088\U\[email protected]
c:\windows\$NtUninstallKB49330$\3296855088\U\[email protected]
c:\windows\$NtUninstallKB49330$\3296855088\version
c:\windows\system32\dds_trash_log.cmd
E:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NwSapAgent
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2012-04-11 to 2012-05-11 )))))))))))))))))))))))))))))))
.
.
2012-05-07 22:37 . 2012-05-10 01:47 -------- d-----w- c:\users\Client\AppData\Local\jbuetdom
2012-04-25 10:28 . 2012-04-25 10:28 -------- d-----w- c:\users\Client\dwhelper
2012-04-24 00:32 . 2012-04-24 00:32 -------- d-----w- c:\users\Client\AppData\Roaming\AVG2012
2012-04-24 00:30 . 2012-05-10 22:59 -------- d-----w- c:\windows\system32\drivers\AVG
2012-04-24 00:30 . 2012-04-24 00:36 -------- d-----w- c:\programdata\AVG2012
2012-04-24 00:24 . 2012-04-24 00:24 -------- d--h--w- c:\programdata\Common Files
2012-04-24 00:24 . 2012-05-10 22:59 -------- d-----w- c:\programdata\MFAData
2012-04-24 00:19 . 2011-12-16 05:52 3903528 ----a-w- C:\avg_isct_stb_all_2012_1873_cnet.exe
2012-04-23 21:38 . 2012-05-07 01:36 -------- d-----w- c:\users\Client\AppData\Roaming\Nasyhia
2012-04-23 21:38 . 2012-04-24 00:41 -------- d-----w- c:\users\Client\AppData\Roaming\Wulixu
2012-04-22 21:33 . 2012-05-07 01:36 -------- d-----w- c:\users\Client\AppData\Roaming\Idzyha
2012-04-22 21:33 . 2012-04-24 00:41 -------- d-----w- c:\users\Client\AppData\Roaming\Aciq
2012-04-22 12:29 . 2012-04-24 00:41 -------- d-----w- c:\users\Client\AppData\Local\Region
2012-04-20 15:18 . 2012-05-02 00:07 -------- d-----w- c:\users\Client\AppData\Roaming\UBot Studio
2012-04-20 15:04 . 2012-05-08 05:13 -------- d-----w- C:\Wiki Master Blaster Pro
2012-04-19 10:54 . 2012-04-19 10:54 -------- d-----w- c:\users\Client\AppData\Local\{1DEA0E7B-8A0E-11E1-826D-B8AC6F996F26}
2012-04-19 10:54 . 2012-04-19 10:54 -------- d-----w- c:\users\Client\AppData\Local\{1DE9DB36-8A0E-11E1-826D-B8AC6F996F26}
2012-04-19 10:53 . 2012-04-24 01:29 -------- d-----w- c:\programdata\529C50D80004033B001F5C4BB4EB23C1
2012-04-19 10:53 . 2012-04-24 01:27 -------- d-----w- c:\program files\Common Files\Region
2012-04-18 18:50 . 2012-04-18 18:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-13 10:42 . 2012-04-13 10:42 -------- d-----w- c:\program files\Common Files\Skype
2012-04-11 12:14 . 2012-03-01 05:46 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 12:14 . 2012-03-01 05:37 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 12:14 . 2012-03-01 05:29 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 12:14 . 2012-03-01 05:33 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 12:13 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-11 12:13 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-10 21:57 . 2012-04-10 21:57 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-10 21:57 . 2011-08-20 00:40 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-18 19:17 . 2012-03-18 19:17 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-02-28 03:23 . 2012-03-26 04:02 360264 ----a-w- c:\windows\system32\EasyRedirect.dll
2012-02-21 19:25 . 2012-02-21 19:25 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2012-02-17 05:34 . 2012-03-13 20:53 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-13 20:53 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-13 20:53 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-14 02:09 . 2012-02-14 02:09 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20a0be68-8fd9-4539-8712-ce3d1c1fdfc6}]
2012-01-17 19:28 262312 ----a-w- c:\program files\blekkotb\auxi\blekkoAu.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26c9e18c-3717-4be1-a225-04e4471f5b6e}]
2012-01-17 19:28 86696 ----a-w- c:\program files\blekkotb\blekkoDx.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
2007-07-17 05:59 1379352 ----a-w- c:\program files\Wisdom-soft\tbWisd.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWisd.dll" [2007-07-17 1379352]
"{26c9e18c-3717-4be1-a225-04e4471f5b6e}"= "c:\program files\blekkotb\blekkoDx.dll" [2012-01-17 86696]
.
[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
.
[HKEY_CLASSES_ROOT\clsid\{26c9e18c-3717-4be1-a225-04e4471f5b6e}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6DFC55BB-BFFF-485A-9709-90C3FDF6DB58}"= "c:\program files\Wisdom-soft\tbWisd.dll" [2007-07-17 1379352]
.
[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2012-02-01 2918224]
"Easy-Hide-IP"="c:\program files\Easy-Hide-IP\easy-hide-ip.exe" [2012-02-28 4584264]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-28 17148552]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
"Vagex"="c:\users\Client\Desktop\Uk Chiropractors I have emailed\Vagex\Vagex.exe" [2012-05-08 157184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2009-07-10 352256]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2009-06-02 425984]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-07-29 163840]
"Teco"="c:\program files\TOSHIBA\TECO\Teco.exe" [2009-08-10 1324384]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-08-04 611672]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]
"TosWaitSrv"="c:\program files\TOSHIBA\TPHM\TosWaitSrv.exe" [2009-08-07 611672]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-08-11 2446648]
"TosNC"="c:\program files\Toshiba\BulletinBoard\TosNcCore.exe" [2009-08-06 466792]
"TosReelTimeMonitor"="c:\program files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [2009-08-06 29528]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Anti-phishing Domain Advisor"="c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-01-17 232616]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-04 2587008]
.
c:\users\Client\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
OnlyWire.LNK - c:\program files\OnlyWire\OnlyWireWindows.exe [2011-9-20 44456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
2012-02-01 03:18 2918224 ----a-w- c:\program files\TechSmith\Jing\Jing.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 02:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
2008-02-05 22:43 156952 ----a-w- c:\program files\Uniblue\SpeedUpMyPC 3\StartSUMP2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-02-28 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 253600]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys [2011-12-12 10064]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-10 1343400]
R4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe [2011-12-14 1514304]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2012-04-18 24896]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2012-01-30 31952]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2011-05-22 47968]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2012-02-21 235216]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2012-03-18 301248]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 avgfws;AVG Firewall;c:\program files\AVG\AVG2012\avgfws.exe [2012-03-22 2321520]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [2012-04-29 5106744]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2012-02-13 193288]
S2 EasyRedirect;EasyRedirect;c:\program files\Easy-Hide-IP\rdr\EasyRedirect.exe [2012-02-28 3325768]
S2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe [2009-04-20 2869760]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-07-07 62832]
S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-02-23 2886528]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-08-10 181616]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 12920]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2011-12-23 139856]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys [2011-12-23 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2011-12-23 17232]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 24064]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-11-26 233472]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-11-04 376832]
S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-04 111960]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-08-07 685424]
.
.
NETSVCS REQUIRES REPAIRS - current entries shown
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Ias
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
SRService
Tapisrv
Wmi
WmdmPmSp
z800obex
SE27mdfl
DivisCTS
lgsnd_filter
se45unic
NtMtlFax
Fd16_700
LUsbFilt
nmwcdcm
CTAudSvcService
hclinetd
NwSapAgent
alcxwdm
atimtag
DynDNS_Updater_Service
2wirepcp
SMNDIS5
hSONYPVh
rupsmon
arp1394
wampmysqld
pid_0928
CTMFLT
filterservice
alim1541
w800obex
dmadmin
digisptiservice
bmuservice
pxfhserd
{85ccb53b-23d8-4e73-b1b7-9ddb71827d9b}
SE2Emgmt
sentinelprotectionserver
sonicatheaterinstallerservice
mozyFilter
symantecantibotdriver
wmdmpmsp
backupexecnamingservice
vwlogger
se44bus
autocomplete
smartscaps
z525obex
wlancfg
Ld51ocnucsnp
USA49W2KP
cqmghost
cfsvcs
z525mdfl
ATIBTCAP
acermemusagecheckservice
pdlndtdl
vaiomediaplatform-mobile-gateway
nwlnkspx
ctxcpuusync
bridge
UCTblHid
prepdrvr
IBMTPCHK
sprtsvc_dellsupportcenter
USIUDF
w22n51
GoogleDesktopManager-010708-104812
mysql
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
wercplsupport
EapHost
ProfSvc
schedule
hkmsvc
SessionEnv
winmgmt
browser
Themes
BDESVC
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 21:57]
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0c57a210c460.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 23:58]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 23:58]
.
2012-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3496677331-2840205687-1267109365-1004Core1cd0a2642b2a5d6.job
- c:\users\Client\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-07 04:01]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3496677331-2840205687-1267109365-1004UA.job
- c:\users\Client\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-07 04:01]
.
2012-04-24 c:\windows\Tasks\SidebarExecute.job
- c:\program files\Windows Sidebar\sidebar.exe [2011-03-16 12:17]
.
2012-01-13 c:\windows\Tasks\{10FB43F1-C9B1-45C6-A506-823D17D45C24}.job
- c:\program files\Skype\Phone\Skype.exe [2012-02-28 22:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\AVG\AVG2012\avgdtiex.dll
LSP: c:\windows\system32\EasyRedirect.dll
TCP: DhcpNameServer = 10.0.0.138
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{EEDDBC78-69C9-4083-9FDA-2A7AEC1F1B0A} - c:\programdata\TheBflix\bhoclass.dll
Toolbar-Locked - (no file)
HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-Internet Security Essentials - c:\programdata\4e38e4\IS4e3_196.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-TOSHIBA Software Modem - c:\windows\agrsmdel
AddRemove-{37476589-E48E-439E-A706-56189E2ED4C4} - c:\programdata\TheBflix\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3496677331-2840205687-1267109365-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4F71BC25-C762-47DA-586C-72454E55164C}*]
@Allowed: (Read) (RestrictedCode)
"gacaiefojfnkea"=hex:61,63,69,6b,67,65,62,70,6f,6b,70,63,69,61,65,66,66,68,6f,
6e,70,65,64,70,61,6b,6f,64,6f,64,6a,61,64,69,6f,6d,67,66,62,6e,6f,64,69,63,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000009
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(7084)
c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\conhost.exe
c:\windows\system32\java.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\WUDFHost.exe
c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
c:\windows\ehome\mcupdate.EXE
c:\program files\TOSHIBA\TPHM\TPCHWMsg.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2012-05-11 15:07:57 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-11 05:07
.
Pre-Run: 82,970,050,560 bytes free
Post-Run: 82,580,426,752 bytes free
.
- - End Of File - - DB531398216828D43AA4A2121A6D35CD
Attached Files
File Type: txt ComboFix.txt (22.9 KB, 53 views)
LindsayH is offline  
Old 05-10-2012, 10:22 PM   #18
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Thanks. :)

Do you have internet access back now on this machine?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-10-2012, 10:26 PM   #19
Registered Member
 
Join Date: May 2012
Posts: 135
OS: windows 7



Hi Ried
I had firefox but uninstalled it and it wouldnt let me download anything so I couldnt upload it again. Internet explorer was allowing me to access the net but again it wouldnt let me download anything I will have to check and see if its back to normal. I also have to go out now so ill let you know and wait to hear back from you. Many many thanks again I really appreciate your time and help.

Cheers
LindsayH
LindsayH is offline  
Old 05-10-2012, 10:28 PM   #20
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Ok. That's fine. You go ahead and do what you need to do. I'll get some sleep and we'll continue tomorrow. :)
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Badly Infected PC, virus utilities disabled and .exes won't run, NIC disabled
I'm working with a Dell Dimension 4700 with XP Professional SP3, that is in very bad shape. When the PC starts both Symatec and MS Security Essentials are disabled, with Symantec trying to reload itself while your selecting or right-clicking on icons. I'm using an administrator account and...
Tsax95 Virus/Trojan/Spyware Help 11 09-25-2011 09:13 AM
Laptop majorly infected?
The computer has 37 trojan horses and other types of viruses. Its Windows XP and I can barley run any programs. AVG won't start up, and I tried using my Windows 7 ISO file onto my computer and it infected my USB and almost gave my other computer a virus. I can't start ANY programs because they're...
panda100123 Inactive Malware Help Topics 2 09-02-2011 06:06 PM
XP Security 2011/Java-CVE-2010/Cycbot Removal
Hey, everybody. Here's the lowdown: A couple of months ago my sister accidentally sent me the XP Security 2011 virus in a .JPG attached to her e-mail. (I know it was her, alas, as that's how she caught the exact same virus.) I took my PC to a local computer company and paid good money to...
KeithEKimball Resolved HJT Threads 20 08-15-2011 03:34 PM
Logs for pervious topic !
Ok heres the logs i got from malwarebytes Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7304 Windows 6.0.6002 Service Pack 2 Internet Explorer 9.0.8112.16421 28/07/2011 01:05:23 mbam-log-2011-07-28 (01-05-23).txt Scan type: Quick scan Objects scanned: 45864
scottyd2k9 Inactive Malware Help Topics 11 08-11-2011 06:51 AM
Redirect Virus Help
Hello. I would really appreciate some help with the redirect virus. I have Windows XP, Service Pack 3, and my virus software is Symantec Antivirus. Somehow I contracted the redirect virus yesterday. First my firewall and automatic updates service (in the Windows Security Center) were...
AngelaHorses Resolved HJT Threads 9 07-11-2011 07:20 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 03:50 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts