PDA

View Full Version : Computer and flash drive is infected with something



Doom Saber
2011-05-30, 11:02
Hi,

The computer I am using right now is infected with something bad. I also think the flash drive connected to it is also infected.

The computer has been infected for a month now. At first, it had pop up websites, but those were cleaned out. Eventually, the computer would have a hard time to turn off. Now, the computer has a hard time to boot - to boot the computer, I have to press f8, which works sometimes. Yesterday, I tried going to an educational website, but mispelled something. Because of that, it went to an infected site, causing the browser to open random search engines whenever I try searching for something.

Spybot results:

MTC.MakeMeSearch.com: [SBI $EF0EE69A] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Toolbar

MTC.MakeMeSearch.com: [SBI $EF0EE69A] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Toolbar

FunWebProducts: [SBI $685582A8] Configuration file (File, nothing done)
C:\Windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
Properties.size=365
Properties.md5=88D1DC668D4F5133F62356A179368DDA
Properties.filedate=1177445474
Properties.filedatetext=2007-04-24 13:11:14

FunWebProducts: [SBI $E3AF827A] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{1F52A5FA-A705-4415-B975-88503B291728}

FunWebProducts: [SBI $036600C0] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{A626CDBD-3D13-4F78-B819-440A28D7E8FC}

FunWebProducts: [SBI $28AAB8CB] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}

MyWay.MyWebSearch: [SBI $45492A3B] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}

MyWay.MyWebSearch: [SBI $C7B4FC73] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}

MyWay.MyWebSearch: [SBI $B4140203] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{3E720453-B472-4954-B7AA-33069EB53906}

MyWay.MyWebSearch: [SBI $7D166358] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}

MyWay.MyWebSearch: [SBI $5B4611BE] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9}

MyWay.MyWebSearch: [SBI $4689C01C] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9}

MyWay.MyWebSearch: [SBI $7390AC55] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978}

MyWay.MyWebSearch: [SBI $93F63F8F] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\m3ffxtbr@mywebsearch.com

MyWay.MyWebSearch: [SBI $33173CA4] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@mywebsearch.com/Plugin

Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

FunWebProducts: [SBI $FD7B3B13] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}

Huntbar.Stoolbar: [SBI $E9FB2A16] Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Search Toolbar

MyWebSearch: [SBI $063FAF8F] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}

MyWebSearch: [SBI $4B220C13] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{120927BF-1700-43BC-810F-FAB92549B390}

MyWebSearch: [SBI $9BC10F0D] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A}

MyWebSearch: [SBI $0778094F] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}

MyWebSearch: [SBI $4343368F] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82}

MyWebSearch: [SBI $EB0F98F9] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}

MyWebSearch: [SBI $134ADC4E] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{90449521-D834-4703-BB4E-D3AA44042FF8}

MyWebSearch: [SBI $7085932F] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{991AAC62-B100-47CE-8B75-253965244F69}

MyWebSearch: [SBI $A352080D] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}

MyWebSearch: [SBI $689AB931] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1}

MyWebSearch: [SBI $1FBE02BC] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}

MyWebSearch: [SBI $FB21141E] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}

Win32.AutoRun.tmp: [SBI $751B1850] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

Win32.Agent.len: [SBI $084E885C] Autorun settings (lenscrset) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lenscrset

Win32.Agent.len: [SBI $084E885C] Program file (File, nothing done)
C:\Windows\system32\lenscrset.exe
Properties.size=45056
Properties.md5=51D94AF3BC8843B35C9E7F0D5A3A1DA4
Properties.filedate=1229668317
Properties.filedatetext=2008-12-18 23:31:57

Win32.Agent.len: [SBI $084E885C] Autorun settings (lenscrset) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lenscrset

Right Media: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


Statcounter: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


MediaPlex: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


DirectTrack: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


BurstMedia: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


FastClick: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


DoubleClick: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


DirectTrack: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


DirectTrack: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


MediaPlex: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


MediaPlex: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


BurstMedia: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


Zedo: Tracking cookie (Internet Explorer: David) (Cookie, nothing done)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Right Media: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Right Media: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Bluemountain: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Bluemountain: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


WebTrends live: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Statcounter: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2010-08-06 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-07-27 Includes\AdwareC.sbi (*)
2010-01-25 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-07-27 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-07-27 Includes\HijackersC.sbi (*)
2010-06-02 Includes\iPhone.sbi (*)
2010-08-02 Includes\Keyloggers.sbi (*)
2010-08-02 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-06-01 Includes\Malware.sbi (*)
2010-08-02 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-07-20 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-07-27 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-07-27 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-08-04 Includes\Trojans.sbi (*)
2010-07-28 Includes\TrojansC-02.sbi (*)
2010-07-28 Includes\TrojansC-03.sbi (*)
2010-07-28 Includes\TrojansC-04.sbi (*)
2010-08-02 Includes\TrojansC-05.sbi (*)
2010-08-02 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

DDS results:
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18783
Run by David at 0:24:27 on 2011-05-30
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3317.1678 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Lenovo\Lenovo Standard Keyboard Driver\SkDaemond.exe
C:\Program Files\Trend Micro\OKAVAgent\OKAVAgent.exe
C:\Program Files\Lenovo\Healthcare\HealthCare.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\David\Desktop\dds.com
C:\Windows\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
mDefault_Page_URL = hxxp://www.lenovo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: WhiteSmoke Toolbar: {e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: WhiteSmoke Toolbar: {e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\david\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Goal] c:\users\david\appdata\roaming\JO6uMFE5D.exe
mRun: [Unattend0000000001{630DEC53-CECA-49A3-896C-B064A4DC05AA}] c:\windows\test.bat
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SkDaemond] c:\program files\lenovo\lenovo standard keyboard driver\SkDaemond.exe
mRun: [lenscrset] c:\windows\system32\lenscrset.exe /run
mRun: [Healthcare] c:\program files\lenovo\healthcare\HealthCare.exe /hide
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 2007\pccguide.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\david\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\david\appdata\roaming\micros~1\windows\startm~1\programs\startup\neverw~1.lnk - c:\neverwinternights\nwn\ereg\ATR1.exe
StartupFolder: c:\users\david\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: myitlab.com
Trusted Zone: pearsoncmg.com
Trusted Zone: pearsoned.com
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 WinI2C-DDC;WinI2C-DDC Kernel Mode Driver;c:\windows\system32\drivers\ddcdrv.sys [2008-12-18 13680]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R2 OKAV Agent Service;OKAV Agent Service;c:\program files\trend micro\okavagent\OKAVAgent.exe [2008-2-1 66824]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-12-18 36368]
R3 WMP55AG;Linksys Dual-Band Wireless A+G PCI Adapter Service;c:\windows\system32\drivers\WMP55AG.sys [2007-7-31 743424]
S1 MpKsl25afde6a;MpKsl25afde6a;c:\programdata\microsoft\microsoft antimalware\definition updates\{9662876e-6bfc-4f1a-a037-0da73a845a24}\MpKsl25afde6a.sys [2011-5-28 28752]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-8-6 1153368]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-12-28 480784]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-12-28 566872]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-13 25832]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-8-28 10664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
.
=============== Created Last 30 ================
.
2011-05-28 19:09:08 -------- d-----w- c:\programdata\gF28601BdBaO28601
2011-05-28 18:37:25 58368 ----a-w- c:\program files\windows mail\rasadhlp.dll
2011-05-28 18:37:25 58368 ----a-w- c:\program files\microsoft games\chess\rasadhlp.dll
2011-05-28 16:22:59 139264 --sha-r- c:\windows\system32\CIRCoInst8.dll
2011-05-28 02:14:46 -------- d-----w- c:\program files\whitesmoketoolbar
2011-05-27 20:34:50 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{9662876e-6bfc-4f1a-a037-0da73a845a24}\mpengine.dll
2011-05-25 19:08:35 -------- d-----w- c:\users\david\appdata\roaming\MediaVideoConverter Software Studio
2011-05-25 19:07:13 -------- d-----w- c:\program files\MediaVideoConverter
2011-05-20 14:50:25 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1af517e9-526e-4f74-af4b-29efb68715e7}\gapaengine.dll
2011-05-11 09:27:12 -------- d-----w- c:\program files\VideoLAN
2011-05-06 21:19:12 -------- d-----w- c:\program files\iPod
2011-05-06 21:19:05 -------- d-----w- c:\program files\iTunes
2011-05-06 21:12:58 -------- d-----w- c:\program files\Bonjour
2011-05-04 23:56:26 -------- d-----w- c:\program files\GameSpy Arcade
2011-05-04 23:34:27 -------- d-----w- C:\NeverwinterNights
.
==================== Find3M ====================
.
2011-04-10 09:12:26 249856 ------w- c:\windows\Setup1.exe
2011-04-10 09:12:25 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-04-07 06:45:29 22016 ---ha-w- c:\users\david\appdata\roaming\new3.exe
2011-04-06 23:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 23:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-05 18:09:15 22016 ---ha-w- c:\users\david\appdata\roaming\new2.exe
2011-03-19 18:58:33 54784 ---ha-w- c:\users\david\appdata\roaming\juat19.exe
.
============= FINISH: 0:25:00.57 ===============

shelf life
2011-06-06, 00:06
hi Doom Saber,

Your post is a few days old. If you still need help simply reply back.

Doom Saber
2011-06-10, 22:23
hi Doom Saber,

Your post is a few days old. If you still need help simply reply back.

I still need help. I forgot to include the attatch zip file from my initial post, so here it is:

shelf life
2011-06-11, 03:52
Ok. We will get a download to use. Its called combofix. There is a guide to read first. Read through the guide then apply the directions on your own machine. Post the combofix log in your reply.


Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Doom Saber
2011-06-22, 10:44
I am having trouble opening it since the program won't run with microsoft essentials on, and I can't remove it on safe mode nor normal mode; safe mode says it can't remove the program and in normal mode, I can't remove it because the trojan refuses to remove it

shelf life
2011-06-23, 00:39
Try this;

Please download Rkill by Grinler and save it to your desktop:
http://download.bleepingcomputer.com/grinler/rkill.pif

2) http://download.bleepingcomputer.com/grinler/rkill.scr
3) http://download.bleepingcomputer.com/grinler/rkill.com
4) http://download.bleepingcomputer.com/grinler/rkill.exe
5) http://download.bleepingcomputer.com/grinler/rkill.pif

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or W7 right-click on it and Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. After its finished try running Malwarebytes and Combofix again.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links (2-5) until the tool runs.

Note: This dosnt delete malware, it only terminates certain processes that are keeping Malwarebytes/Combofix etc from running. After a rkill is done running then try to start malwarebytes, update it and do a full scan.
We will come back to combofix if needed.