PDA

View Full Version : Smitfraud-c.generic


mgsmj
2012-03-16, 06:09
About a week ago, Google started redirecting me to other websites. Spybot found smitfraud-c.gp, which is now smitfraud-c.generic and “fixed” the problem, but it returns with each scan. I have been unable to remove it. I have also done a system restore with no luck. Ran DDS and spybot logs pasted it below and attached the zip DDS log. I have disabled the tea timer as instructed.
Please note bit torrent was installed by someone in my household. I have uninstalled it but it was restored with the system restore. I have uninstalled it again, but it will not let me remove the toolbar. I am also unable to uninstall several other programs I no longer use, I am told "Windows installer service cannot be accessed".

Any help would be greatly appreciated. Thanks!


.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_25
Run by Jamie at 22:39:53 on 2012-03-15
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2812.1161 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
-netsvcs
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\TEMP\0.7067987394497796
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://xfinity.comcast.net/?cid=cgps03152012
uSearch Bar = Preserve
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?

b=ACAW&l=0409&m=aspire_5532&r=27360210d515l04c4z185t44n2x235
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27360210d515l04c4z185t44n2x235
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;;192.168.*.*
uURLSearchHooks: H - No File
uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar

\prxtbBitT.dll
mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar

\prxtbBitT.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat

\ActiveX\AcroIEHelperShim.dll
BHO: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - C:\Program Files (x86)\xfin_portal\comcastdx.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Security Suite\Engine

\5.0.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Security Suite

\Engine\5.0.0.125\IPS\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office

\Office12\GrooveShellExtensions.dll
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
BHO: Constant Guard Protection Suite (COM): {b84cdbe7-1b46-494b-a188-01d4c52deb61} - C:\Program Files (x86)\Constant Guard

Protection Suite\NativeBHO.dll
BHO: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - C:\Program Files (x86)\xfin_portal\auxi\comcastAu.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
TB: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - C:\Program Files (x86)\xfin_portal\comcastdx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Security Suite\Engine

\5.0.0.125\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [Akamai NetSession Interface] "C:\Users\Jamie\AppData\Local\Akamai\netsession_win.exe"
uRun: [Google Update] "C:\Users\Jamie\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [ComcastAntispyClient] "C:\Program Files (x86)\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide
uRunOnce: [SpybotDeletingB8927] command.com /c del "C:\Windows\svchost.exe_old"
uRunOnce: [SpybotDeletingD203] cmd.exe /c del "C:\Windows\svchost.exe_old"
uRunOnce: [SpybotDeletingB6336] command.com /c del "C:\Windows\svchost.exe"
uRunOnce: [SpybotDeletingD9755] cmd.exe /c del "C:\Windows\svchost.exe"
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [GIDDesktop] C:\Program Files (x86)\SFT\GuardedID\gidd.exe /s
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware

\cleanup.dll",ProcessCleanupScript
mRunOnce: [SpybotDeletingA8127] command.com /c del "C:\Windows\svchost.exe_old"
mRunOnce: [SpybotDeletingC4497] cmd.exe /c del "C:\Windows\svchost.exe_old"
mRunOnce: [SpybotDeletingA9564] command.com /c del "C:\Windows\svchost.exe"
mRunOnce: [SpybotDeletingC3699] cmd.exe /c del "C:\Windows\svchost.exe"
StartupFolder: C:\Users\Jamie\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program

Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Auto Detect.lnk.disabled
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CONSTA~1.LNK - C:\Program Files

(x86)\Constant Guard Protection Suite\IDVault.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows

Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:

\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:

\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:

\PROGRA~2\SPYBOT~1\SDHelper.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - C:\Program Files

(x86)\Evernote\Evernote3.5\enbar.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/69.10/uploader2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{248ECABF-053B-4626-95FB-D41B867FA711} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{248ECABF-053B-4626-95FB-D41B867FA711}\24F6A616E676C65637 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{248ECABF-053B-4626-95FB-D41B867FA711}\25963686D41607C656 : DhcpNameServer = 68.87.73.246

68.87.71.230 192.168.1.1
TCP: Interfaces\{248ECABF-053B-4626-95FB-D41B867FA711}\353484D294130303F543635383 : DhcpNameServer = 192.168.16.1
TCP: Interfaces\{248ECABF-053B-4626-95FB-D41B867FA711}\5415B4D463 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{248ECABF-053B-4626-95FB-D41B867FA711}\B69627368637475696761373 : DhcpNameServer = 75.75.75.75

75.75.76.76
TCP: Interfaces\{248ECABF-053B-4626-95FB-D41B867FA711}\E4544574541425 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{856ED3C4-B8B5-470E-B3C2-641E5FDB459F} : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office

\Office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery

\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office

\Office12\GrooveShellExtensions.dll
mASetup: {9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg - C:\Program Files (x86)\SFT\GuardedID\gidi.exe /v
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe

\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - C:\Program Files (x86)\xfin_portal\comcastdx.dll
BHO-X64: XFINITY Toolbar - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite

\Engine\5.0.0.125\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security

Suite\Engine\5.0.0.125\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office

\Office12\GrooveShellExtensions.dll
BHO-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
BHO-X64: BitTorrentBar - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files

\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Constant Guard Protection Suite (COM): {B84CDBE7-1B46-494B-A188-01D4C52DEB61} - C:\Program Files

(x86)\Constant Guard Protection Suite\NativeBHO.dll
BHO-X64: Constant Guard Protection Suite (COM) - No File
BHO-X64: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - C:\Program Files (x86)\xfin_portal\auxi

\comcastAu.dll
BHO-X64: Updater For XFIN_PORTAL - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin

\jp2ssv.dll
TB-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
TB-X64: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - C:\Program Files (x86)\xfin_portal\comcastdx.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine

\5.0.0.125\coIEPlg.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [GIDDesktop] C:\Program Files (x86)\SFT\GuardedID\gidd.exe /s
mRunOnce-x64: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware

\cleanup.dll",ProcessCleanupScript
mRunOnce-x64: [SpybotDeletingA8127] command.com /c del "C:\Windows\svchost.exe_old"
mRunOnce-x64: [SpybotDeletingC4497] cmd.exe /c del "C:\Windows\svchost.exe_old"
mRunOnce-x64: [SpybotDeletingA9564] command.com /c del "C:\Windows\svchost.exe"
mRunOnce-x64: [SpybotDeletingC3699] cmd.exe /c del "C:\Windows\svchost.exe"
IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft

Office\Office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Jamie\AppData\Roaming\Mozilla\Firefox\Profiles\2ehliz9e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0500000.07D\SYMDS64.SYS --> C:\Windows

\system32\drivers\N360x64\0500000.07D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0500000.07D\SYMEFA64.SYS --> C:

\Windows\system32\drivers\N360x64\0500000.07D\SYMEFA64.SYS [?]
R1 GIDv2;GIDv2;C:\Windows\system32\drivers\GIDv2.sys --> C:\Windows\system32\drivers\GIDv2.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\system32\DRIVERS

\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys

[?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows

\system32\DRIVERS\vwifimp.sys [?]
S1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions

\BASHDefs\20101123.003\BHDrvx64.sys [2012-3-15 953904]
S1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs

\20101201.001\IDSviA64.sys [2012-3-15 476792]
S1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS

\MpFilter.sys [?]
S1 mwlPSDFilter;mwlPSDFilter;C:\Windows\system32\DRIVERS\mwlPSDFilter.sys --> C:\Windows\system32\DRIVERS

\mwlPSDFilter.sys [?]
S1 mwlPSDNServ;mwlPSDNServ;C:\Windows\system32\DRIVERS\mwlPSDNServ.sys --> C:\Windows\system32\DRIVERS

\mwlPSDNServ.sys [?]
S1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys --> C:\Windows\system32\DRIVERS

\mwlPSDVDisk.sys [?]
S1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0500000.07D\Ironx64.SYS --> C:\Windows

\system32\drivers\N360x64\0500000.07D\Ironx64.SYS [?]
S1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\drivers\N360x64\0500000.07D\SYMNETS.SYS --> C:

\Windows\system32\drivers\N360x64\0500000.07D\SYMNETS.SYS [?]
S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3

63928]
S2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows

\system32\atiesrxx.exe [?]
S2 AntiSpywareService;Comcast AntiSpyware;C:\Program Files (x86)\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe

[2009-6-17 616408]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework

\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET

\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2009-11-5 844320]
S2 Greg_Service;GRegService;C:\Program Files (x86)\Acer\Registration\GregHSRW.exe [2009-8-28 1150496]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-12 135664]
S2 IDVaultSvc;CGPS Service;C:\Program Files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe [2012-2-15 65096]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-15 652360]
S3 CASprint;Sprint Con App Svc;C:\Program Files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe [2008-7-7 124184]
S3 EraserUtilDrv11122;EraserUtilDrv11122;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11122.sys

[2012-3-15 138360]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12

206072]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-12 135664]
S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows

\system32\DRIVERS\MpNWMon.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows

\system32\DRIVERS\NisDrvWFP.sys [?]
S3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;\??\C:\Windows\system32\PCTINDIS5X64.SYS --> C:\Windows

\system32\PCTINDIS5X64.SYS [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows

\system32\Drivers\RtsUStor.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers

\usbaapl64.sys [?]
.
=============== Created Last 30 ================
.
2012-03-16 02:35:12 -------- d-----w- C:\Users\Jamie\Option
2012-03-16 02:11:40 20480 ----a-w- C:\Windows\svchost.exe
2012-03-16 02:10:49 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{519195CC-

CC73-416F-B729-4A030C26FDA2}\offreg.dll
2012-03-15 22:38:10 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2012-03-15 22:37:56 174640 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2012-03-15 22:37:55 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2012-03-15 22:37:21 802864 ----a-r- C:\Windows\System32\drivers\N360x64\0500000.07D\SymEFA64.sys
2012-03-15 22:37:21 735864 ----a-r- C:\Windows\System32\drivers\N360x64\0500000.07D\srtsp64.sys
2012-03-15 22:37:21 450608 ----a-r- C:\Windows\System32\drivers\N360x64\0500000.07D\SymDS64.sys
2012-03-15 22:37:21 40568 ----a-r- C:\Windows\System32\drivers\N360x64\0500000.07D\srtspx64.sys
2012-03-15 22:37:21 382072 ----a-r- C:\Windows\System32\drivers\N360x64\0500000.07D\symnets.sys
2012-03-15 22:37:20 171128 ----a-r- C:\Windows\System32\drivers\N360x64\0500000.07D\Ironx64.sys
2012-03-15 22:36:57 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll
2012-03-15 22:36:56 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2012-03-15 22:36:11 -------- d-----w- C:\Windows\System32\drivers\N360x64\0500000.07D
2012-03-15 22:36:11 -------- d-----w- C:\Windows\System32\drivers\N360x64
2012-03-15 22:36:06 -------- d-----w- C:\Program Files (x86)\Norton Security Suite
2012-03-15 21:46:26 -------- d-----w- C:\Users\Jamie\AppData\Local\ID Vault
2012-03-15 21:46:26 -------- d-----w- C:\ProgramData\IsolatedStorage
2012-03-15 21:44:48 91720 ----a-w- C:\Program Files (x86)\Mozilla Firefox\IdVaultCore.XmlSerializers.dll
2012-03-15 21:44:48 8007680 ----a-w- C:\Program Files (x86)\Mozilla Firefox\Microsoft.mshtml.dll
2012-03-15 21:44:48 1644616 ----a-w- C:\Program Files (x86)\Mozilla Firefox\IdVaultCore.dll
2012-03-15 21:44:48 136264 ----a-w- C:\Program Files (x86)\Mozilla Firefox\CommonDotNET.dll
2012-03-15 21:44:25 -------- d-----w- C:\Users\Jamie\AppData\Roaming\ID Vault
2012-03-15 21:43:55 29288 ------w- C:\Windows\System32\drivers\gidv2.sys
2012-03-15 21:43:53 65816 ------w- C:\Windows\System32\GIDLogonCP64.dll
2012-03-15 21:43:52 467224 ------w- C:\Windows\System32\GIDHOOK64.DLL
2012-03-15 21:43:52 446752 ------w- C:\Windows\System32\GIDHookLogon64.dll
2012-03-15 21:43:52 206608 ------w- C:\Windows\System32\GIDBIN1.DLL
2012-03-15 21:43:52 109064 ------w- C:\Windows\System32\EasyHook64.dll
2012-03-15 21:43:52 102160 ------w- C:\Windows\System32\GIDBIN3.DLL
2012-03-15 21:43:48 -------- d-----w- C:\ProgramData\GID
2012-03-15 21:43:44 -------- d-----w- C:\Program Files (x86)\SFT
2012-03-15 21:42:37 -------- d-----w- C:\Program Files (x86)\Common Files\scanner
2012-03-15 21:42:34 -------- d-----w- C:\Program Files (x86)\comcasttb
2012-03-15 21:42:11 -------- d-----w- C:\Program Files (x86)\CA
2012-03-15 21:41:09 -------- d-----w- C:\Program Files (x86)\xfin_portal
2012-03-15 21:40:47 -------- d-----w- C:\Program Files (x86)\Constant Guard Protection Suite
2012-03-15 21:40:19 -------- d-----w- C:\ProgramData\White Sky, Inc
2012-03-15 07:02:41 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-15 07:02:40 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-15 06:49:58 9049936 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{519195CC-

CC73-416F-B729-4A030C26FDA2}\mpengine.dll
2012-03-14 06:42:00 -------- d-----w- C:\Windows\System32\drivers\NAVx64\1306010.008
2012-03-12 20:58:09 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2012-03-12 20:50:41 -------- d-----w- C:\Program Files\Symantec
2012-03-12 20:47:53 -------- d-----w- C:\Windows\System32\drivers\NAVx64
2012-03-12 20:47:45 -------- d-----w- C:\Program Files (x86)\Norton AntiVirus
2012-03-12 20:47:40 -------- d-----w- C:\ProgramData\Norton
2012-03-12 20:22:16 -------- d-----w- C:\ProgramData\NortonInstaller
2012-03-12 20:22:16 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2012-03-12 04:23:21 -------- d-----w- C:\ProgramData\AVG2012
2012-03-12 04:20:07 -------- d-----w- C:\Program Files (x86)\AVG
2012-03-12 04:02:37 -------- d--h--w- C:\ProgramData\Common Files
2012-03-12 04:01:27 -------- d-----w- C:\ProgramData\MFAData
2012-03-11 07:24:16 6656 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\F656.tmp
2012-03-11 07:24:16 6656 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\F636.tmp
.
==================== Find3M ====================
.
2012-01-31 12:44:20 279656 ----a-w- C:\Windows\System32\MpSigStub.exe
2012-01-09 12:31:40 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2012-01-09 12:31:39 175616 ----a-w- C:\Windows\System32\msclmd.dll
.
============= FINISH: 22:45:10.35 ===============


*******Spybot Log********

Smitfraud-C.generic: [SBI $5926A588] Executable (File, nothing done)
C:\Windows\svchost.exe
Properties.size=20480
Properties.md5=2CEFF13ACE25A40BD8D97654944297CD
Properties.filedate=1247534086
Properties.filedatetext=2009-07-13 21:14:45


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
oldman960
2012-03-16, 08:14
Hi mgsmj, welcome to the forum.

To make cleaning this machine easier
Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.


I see Norton Security Suite insatlled as well as Microsoft Security Essentials plus some traces of AVG. What is the current AV you plan on using?

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.

Double click the aswMBR.exe to run it. If asked to download Avast's database please do so.

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Please post back with
aswMBR log
mbr.zip (attached)
mgsmj
2012-03-16, 23:00
Hello, thank you for responding!

I only use Spybot and occasionally malwarebytes. Norton came with a comcast program, microsoft was preinstalled and I never disabled it, and AVG was previously uninstalled and was restored with the system restore.

I have attached the mbr.zip file and here is the aswMBR log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-16 16:28:55
-----------------------------
16:28:55.154 OS Version: Windows x64 6.1.7601 Service Pack 1
16:28:55.154 Number of processors: 1 586 0x7C02
16:28:55.154 ComputerName: JAMIE-PC UserName: Jamie
16:29:48.693 Initialize success
16:42:24.124 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
16:42:24.140 Disk 0 Vendor: Hitachi_HTS545016B9A300 PBBOC60F Size: 152627MB BusType: 11
16:42:24.140 Device \Driver\atapi -> MajorFunction fffffa80033ac5c4
16:42:24.140 Disk 0 MBR read successfully
16:42:24.155 Disk 0 MBR scan
16:42:24.155 Disk 0 TDL4@MBR code has been found
16:42:24.155 Disk 0 Windows 7 default MBR code found via API
16:42:24.171 Disk 0 MBR hidden
16:42:24.171 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12291 MB offset 63
16:42:24.202 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 101 MB offset 25173855
16:42:24.218 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 140232 MB offset 25382700
16:42:24.233 Disk 0 MBR [TDL4] **ROOTKIT**
16:42:24.233 Disk 0 trace - called modules:
16:42:24.249 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80033ac5c4]<<
16:42:25.091 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80030b8690]
16:42:25.091 3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> [0xfffffa8003023520]
16:42:25.107 5 ACPI.sys[fffff88000f9b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800301f680]
16:42:25.123 \Driver\atapi[0xfffffa80032f1e70] -> IRP_MJ_CREATE -> 0xfffffa80033ac5c4
16:42:25.123 Scan finished successfully
16:42:49.599 Disk 0 MBR has been saved successfully to "C:\Users\Jamie\Desktop\MBR.dat"
16:42:49.615 The log file has been saved successfully to "C:\Users\Jamie\Desktop\aswMBR.txt"
oldman960
2012-03-16, 23:24
Hi mgsmj,

We can take care of the AVG remnant. You will need to decide between Norton and MS having both installed can and will cause problems. Let me know which you decide you would like to keep.



Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.



Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
oldman960
2012-03-20, 01:25
Hi mgsmj,

Still with us?
oldman960
2012-03-22, 01:24
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.