PDA

View Full Version : System tool 2011 removal assistance


AFD_C9
2010-12-12, 04:54
I have this dreaded thing and I can not get rid of it.
any help and direction would be appreciated.


DDS (Ver_10-12-12.01) - NTFS_AMD64 NETWORK
Run by Chief at 21:26:51.27 on Sat 12/11/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8184.6341 [GMT -5:00]

AV: Norton Security Suite *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Security Suite *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files (x86)\Norton Security Suite\Engine\3.8.0.41\Navw32.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Chief\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.firehouse.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=bestbuy&pf=cndt
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=bestbuy&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=bestbuy&pf=cndt
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files (x86)\Zynga\tbZyng.dll
uURLSearchHooks: Free TV Bar c3 Toolbar: {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - C:\Program Files (x86)\Free_TV_Bar_c3\tbFree.dll
mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files (x86)\Zynga\tbZyng.dll
mURLSearchHooks: Free TV Bar c3 Toolbar: {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - C:\Program Files (x86)\Free_TV_Bar_c3\tbFree.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Free TV Bar c3 Toolbar: {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - C:\Program Files (x86)\Free_TV_Bar_c3\tbFree.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Security Suite\Engine\3.8.0.41\IPSBHO.DLL
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files (x86)\Zynga\tbZyng.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0560.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0560.0\msneshellx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files (x86)\Zynga\tbZyng.dll
TB: Free TV Bar c3 Toolbar: {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - C:\Program Files (x86)\Free_TV_Bar_c3\tbFree.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Google Update] "C:\Users\Chief\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRunOnce: [hApHh06301] C:\ProgramData\hApHh06301\hApHh06301.exe
uRunOnce: [SpybotDeletingB4831] command.com /c del "C:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DLL"
uRunOnce: [SpybotDeletingD7649] cmd.exe /c del "C:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DLL"
uRunOnce: [SpybotDeletingB3486] command.com /c del "C:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL"
uRunOnce: [SpybotDeletingD9356] cmd.exe /c del "C:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL"
uRunOnce: [SpybotDeletingB3355] command.com /c del "C:\Program Files (x86)\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL"
uRunOnce: [SpybotDeletingD5821] cmd.exe /c del "C:\Program Files (x86)\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL"
mRun: [<NO NAME>]
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRunOnce: [SpybotDeletingA3740] command.com /c del "C:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DLL"
mRunOnce: [SpybotDeletingC4070] cmd.exe /c del "C:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DLL"
mRunOnce: [SpybotDeletingA2248] command.com /c del "C:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL"
mRunOnce: [SpybotDeletingC5893] cmd.exe /c del "C:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL"
mRunOnce: [SpybotDeletingA4733] command.com /c del "C:\Program Files (x86)\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL"
mRunOnce: [SpybotDeletingC2627] cmd.exe /c del "C:\Program Files (x86)\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Security Suite\Engine\3.8.0.41\CoIEPlg.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB-X64: {7B13EC3E-999A-4B70-B9CB-2617B8323822} - No File
TB-X64: {3EE8D0BE-F450-4EF2-97B9-AC2222D14DB3} - No File

============= SERVICES / DRIVERS ===============

R0 ahcix64s;ahcix64s;C:\Windows\System32\drivers\ahcix64s.sys [2009-8-19 237936]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\0308000.029\SymEFA64.sys [2010-3-12 402992]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-8-19 233472]
S1 BHDrvx64;Symantec Heuristics Driver;C:\Windows\System32\drivers\N360x64\0308000.029\BHDrvx64.sys [2010-3-12 334384]
S1 ccHP;Symantec Hash Provider;C:\Windows\System32\drivers\N360x64\0308000.029\cchpx64.sys [2010-3-12 583296]
S1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20101210.001\IDSviA64.sys [2010-12-11 476792]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-4-6 202752]
S2 AMD_RAIDXpert;AMD RAIDXpert;C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-3-16 122880]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 HPBtnSrv;HP Easy Backup Button Service;C:\Program Files (x86)\Hewlett-Packard\HP Easy Backup\HPBtnSrv.exe [2009-8-19 192512]
S2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2010-3-12 117640]
S3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-4-6 6659072]
S3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-4-6 195584]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-5-29 132656]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\PC-Doctor for Windows\pcdsrvc_x64.pkms [2009-6-10 23536]
S3 SYMNDISV;Symantec Network Filter Driver;C:\Windows\System32\drivers\N360x64\0308000.029\symndisv.sys [2010-3-12 56880]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2009-8-28 49152]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-4-10 1255736]

=============== Created Last 30 ================

2010-12-12 01:40:33 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2010-12-12 01:40:33 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
2010-12-12 01:27:53 -------- d-----w- C:\Users\Chief\AppData\Local\ElevatedDiagnostics
2010-12-12 00:36:10 -------- d-----w- C:\PROGRA~3\hApHh06301
2010-12-10 14:57:11 -------- d-----w- C:\Users\Chief\AppData\Roaming\webex
2010-12-10 14:56:56 -------- d-----w- C:\PROGRA~3\WebEx
2010-12-09 22:09:25 -------- d-----w- C:\Users\Chief\AppData\Roaming\GARMIN
2010-12-09 22:09:13 -------- d-----w- C:\Program Files (x86)\Garmin GPS Plugin
2010-12-09 22:09:09 -------- d-----w- C:\Program Files (x86)\Garmin
2010-12-07 17:53:08 -------- d-----w- C:\Users\Chief\.jagex_cache_32
2010-12-06 02:13:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2010-12-06 02:13:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2010-12-06 02:13:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2010-12-06 02:13:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2010-12-06 02:13:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2010-12-06 02:13:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2010-12-06 02:13:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2010-12-06 02:12:45 -------- d-----w- C:\Program Files\Bonjour
2010-12-06 02:12:45 -------- d-----w- C:\Program Files (x86)\Bonjour
2010-11-30 04:11:14 -------- d-----w- C:\Users\Chief\AppData\Local\Lee_Madder
2010-11-30 03:52:45 -------- d-----w- C:\StatesideBingo404(unzipped)
2010-11-30 03:45:48 -------- d-----w- C:\Users\Chief\AppData\Local\InterBA
2010-11-30 03:45:43 68496 ----a-w- C:\Windows\UnDeployV.exe
2010-11-28 04:01:00 -------- d-----w- C:\Users\Chief\AppData\Roaming\HU2011
2010-11-24 13:56:33 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2010-11-24 13:56:33 7680 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2010-11-24 03:15:43 -------- d-----w- C:\Program Files (x86)\Common Files\Microsoft Games
2010-11-24 02:59:41 -------- d-----w- C:\Program Files (x86)\Microsoft Games
2010-11-22 01:44:20 -------- d-----w- C:\Program Files (x86)\Rigs of Rods

==================== Find3M ====================

2010-11-20 00:42:54 234536 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2010-11-20 00:42:54 234536 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2010-10-07 17:36:16 96544 ----a-w- C:\Windows\System32\dnssd.dll
2010-10-07 17:36:16 69408 ----a-w- C:\Windows\System32\jdns_sd.dll
2010-10-07 17:36:16 237856 ----a-w- C:\Windows\System32\dnssdX.dll
2010-10-07 17:36:16 119584 ----a-w- C:\Windows\System32\dns-sd.exe
2010-10-07 17:23:02 91424 ----a-w- C:\Windows\SysWow64\dnssd.dll
2010-10-07 17:23:02 75040 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2010-10-07 17:23:02 197920 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2010-10-07 17:23:02 107808 ----a-w- C:\Windows\SysWow64\dns-sd.exe
ken545
2010-12-16, 14:10
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.



Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
ken545
2010-12-21, 14:08
Due to inactivity, this thread will now be closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.