malware attack, redirect - now can't get safe mode

**Gimme a Break - the DVD** · 2010-06-11, 05:12

I got a malware attack a few days ago.

I did sfc/scannow

I used combofix on my own, not knowing I shouldv'e had assistance. I have the log for that.
I've also used malwarebytes(fixed 12 infections) and adaware.

It was fine for 2 days, then firefox crashed and wouldn't open. I removed firefox
and installed Orca. Now when I boot, I get the message " PC has experienced a ??? .... if this is the first time your seeing this message, reboot. otherwise, follow directions below....."

In safe mode I don't get the task bar; I get a "windows security" message. One button says "buy". I'd say its fake.

**Blade81** · 2010-06-17, 16:10

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Post them back to your topic.

Please post contents of that ComboFix log you have there, too.

**Gimme a Break - the DVD** · 2010-06-18, 04:46

Here's the Combofix log:

ComboFix 10-05-25.02 - Esther 05/25/2010 14:45:15.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1014.495 [GMT -7:00]
Running from: c:\users\Esther\Downloads\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\feed.txt
c:\users\Esther\AppData\Local\Windows Server
c:\users\Esther\AppData\Local\Windows Server\flags.ini
c:\users\Esther\AppData\Local\Windows Server\hcdqyx.dll
c:\users\Esther\AppData\Local\Windows Server\uses32.dat
c:\users\Esther\AppData\Local\wjrprcntl
c:\users\Esther\AppData\Local\wjrprcntl\ajcyuiitssd.exe
c:\users\Esther\AppData\Roaming\02000000512cd6ff922C.manifest
c:\users\Esther\AppData\Roaming\02000000512cd6ff922O.manifest
c:\users\Esther\AppData\Roaming\02000000512cd6ff922P.manifest
c:\users\Esther\AppData\Roaming\02000000512cd6ff922S.manifest
c:\users\Esther\AppData\Roaming\SystemProc
c:\users\Esther\AppData\Roaming\SystemProc\lsass.exe
c:\users\Esther\AppData\Roaming\SystemProc\upd.exe
c:\windows\Ahitua.exe
c:\windows\system32\ernel32.dll
c:\windows\system32\net.net
c:\windows\system32\regsvr32.dll
c:\windows\system32\s7vq9924eg.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\system32\drivers\psrzvib.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_psrzvib
-------\Service_psrzvib

((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-25 22:02 . 2010-05-25 05:30 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\WS93sK.dll
2010-05-25 21:58 . 2010-05-25 22:02 -------- d-----w- c:\users\Esther\AppData\Local\temp
2010-05-25 21:58 . 2010-05-25 21:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-25 21:57 . 2010-05-25 22:03 -------- d-----w- c:\users\Esther\AppData\Local\Windows Server
2010-05-25 21:41 . 2010-05-25 05:30 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7qG1793.dll
2010-05-25 19:05 . 2010-05-25 05:30 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\gM3179o.dll
2010-05-25 18:43 . 2010-05-25 05:30 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\1mY3cE.dll
2010-05-25 17:29 . 2010-05-25 05:30 75776 ----a-w- c:\windows\system32\f36decbb.exe
2010-05-25 16:15 . 2010-05-25 05:30 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7a3kU93.dll
2010-05-25 05:32 . 2010-05-25 05:32 182272 ----a-w- c:\windows\system32\comcat32.dll
2010-05-25 05:31 . 2010-05-25 05:31 182272 ----a-w- c:\windows\system32\diagperf32.dll
2010-05-25 05:30 . 2010-05-25 05:30 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\WSK9yW7u.dll
2010-05-25 05:30 . 2010-05-25 05:30 75776 ----a-w- c:\windows\system32\7bb7c5c0.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 21:40 . 2007-01-05 23:06 -------- d-----w- c:\programdata\McAfee
2010-05-25 21:23 . 2007-05-19 19:04 1356 ----a-w- c:\users\Esther\AppData\Local\d3d9caps.dat
2010-04-25 02:41 . 2010-04-25 02:41 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-10 02:42 . 2007-07-28 17:30 13950 ----a-w- c:\users\Esther\AppData\Roaming\wklnhst.dat
2010-03-22 03:33 . 2010-03-22 03:33 667648 ----a-w- c:\users\Esther\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...180-0-main.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-24 160592]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-29 106496]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-29 98304]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-04-17 1006264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-19 421888]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-29 81920]
"NDSTray.exe"="NDSTray.exe" [BU]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-16 524632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

c:\users\Esther\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2007-4-28 256000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^CallWave.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\CallWave.lnk
backup=c:\windows\pss\CallWave.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Esther^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Esther\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Esther^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^YouTube Uploader.lnk]
path=c:\users\Esther\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YouTube Uploader.lnk
backup=c:\windows\pss\YouTube Uploader.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2006-12-15 23:59 530552 ----a-w- c:\program files\Toshiba\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1922036909]
2006-10-04 00:17 65616 ----a-w- c:\program files\Toshiba Registration\Registration.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\47862506]
2006-10-04 00:17 65616 ----a-w- c:\program files\Toshiba Registration\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-03-07 17:17 51184 ----atw- c:\users\Esther\AppData\Local\Google\Update\1.1.17.0\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
2006-12-08 00:49 55416 ----a-w- c:\program files\Toshiba\TBS\HSON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
2001-06-15 00:54 254022 ------w- c:\program files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeNotify]
2006-11-07 01:14 34352 ----a-w- c:\program files\Toshiba\Utilities\KeNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\masqform.exe]
2004-04-19 19:25 634880 ----a-w- c:\program files\PureEdge\Viewer 6.1\masqform.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PINGER]
2006-07-20 20:45 151552 ----a-w- c:\toshiba\IVP\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2006-11-09 18:57 3784704 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2006-12-12 01:45 448632 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-11-02 12:36 201728 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\users\Esther\AppData\Local\Windows Server\hcdqyx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4293823666-2077962647-2123141110-1000]
"EnableNotificationsRef"=dword:00000001

R2 MSWA-7bb7c5c0;MSWA-7bb7c5c0;c:\windows\system32\7bb7c5c0.exe [2010-05-25 75776]
R2 MSWA-f36decbb;MSWA-f36decbb;c:\windows\system32\f36decbb.exe [2010-05-25 75776]
R3 wrssweep;Webroots Volume Access Driver;c:\program files\Webroot\Washer\wrssweep.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-05-12 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-16 1029456]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PSRZVIB
*Deregistered* - psrzvib

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 00:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: nwmls.com
Trusted Zone: rapmls.com
FF - ProfilePath - c:\users\Esther\AppData\Roaming\Mozilla\Firefox\Profiles\k2t3iiak.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\Esther\AppData\Roaming\Mozilla\Firefox\Profiles\k2t3iiak.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\windows\system32\npmirage.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RTHDBPL - c:\users\Esther\AppData\Roaming\SystemProc\lsass.exe
HKCU-Run-siallqkk - c:\users\Esther\AppData\Local\wjrprcntl\ajcyuiitssd.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-MskAgentexe - c:\program files\McAfee\MSK\MskAgent.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 15:05
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????['C~????\?8?\?p?\???\???
RTHDBPL = c:\users\Esther\AppData\Roaming\SystemProc\lsass.exe????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x853E8D01]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x85a2dd1f
\Driver\ACPI -> acpi.sys @ 0x804769d6
\Driver\atapi -> ataport.SYS @ 0x8261e9c6
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\psrzvib]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4293823666-2077962647-2123141110-1000\Software\Microsoft\Protected Storage System Provider]
@Denied: (Full) (Everyone)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\windows\ehome\ehmsas.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Toshiba\ConfigFree\CFSwMgr.exe
.
**************************************************************************
.
Completion time: 2010-05-25 15:14:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-25 22:13

Pre-Run: 30,914,162,688 bytes free
Post-Run: 30,614,024,192 bytes free

- - End Of File - - 28D97BE04CB72FA9AD6679279D52DB36

here's the DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Esther at 19:34:49.05 on Thu 06/17/2010
Internet Explorer: 7.0.6000.16764
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1014.244 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: avast! antivirus 4.8.1296 [VPS 000000-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: McAfee VirusScan *enabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1296 [VPS 000000-0] *disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\windows\system32\svchost.exe -k dcomlaunch
c:\windows\system32\svchost.exe -k rpcss
c:\windows\system32\svchost.exe -k localservicenetworkrestricted
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted
c:\windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
c:\windows\system32\svchost.exe -k localservice
c:\windows\system32\svchost.exe -k networkservice
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
c:\windows\system32\svchost.exe -k localservicenonetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted
c:\windows\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
c:\windows\system32\svchost.exe -k wersvcgroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Windows\System32\igfxtray.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Users\Esther\AppData\Local\Temp\wscsvc32.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Users\Esther\AppData\Local\temp\e.exe
C:\Windows\System32\igfxpers.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Program Files\Orca Browser\orca.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\system32\WerFault.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Users\Esther\AppData\Local\Temp\mscdexnt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Esther\Downloads\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uWindow Title = Microsoft Internet Explorer
uDefault_Page_URL = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = <local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptcl.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [start 1] c:\users\esther\appdata\local\temp\e.exe
uRun: [{4F4B8EED-5E39-7E95-E03C-A22B729B17C2}] c:\users\esther\appdata\roaming\kute\iguro.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\users\esther\appdata\roaming\microsoft\windows\start menu\programs\startup\PowerReg SchedulerV2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: TaskbarNoNotification = 0 (0x0)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: nwmls.com
Trusted Zone: rapmls.com
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\esther\appdata\roaming\mozilla\firefox\profiles\k2t3iiak.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\esther\appdata\roaming\mozilla\firefox\profiles\k2t3iiak.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\windows\system32\npmirage.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-4-17 144960]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-11 64160]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-3-31 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-3-31 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2007-7-23 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-8 40384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-1-5 71496]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-1-5 34184]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-1-5 170408]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-2-14 1153368]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-8 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-8 40384]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2007-1-5 32008]
S3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2007-1-5 37480]
S4 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2007-4-17 540776]
S4 mcpromgr;McAfee Protection Manager;c:\progra~1\mcafee\msc\mcpromgr.exe [2007-4-17 493144]
S4 McRedirector;McAfee Redirector Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe [2007-4-17 256096]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-4-17 643664]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-06-10 09:41:35 0 d-----w- c:\program files\Protection Center
2010-06-10 04:43:38 24576 ----a-w- c:\windows\system32\stu2.exe
2010-06-08 03:05:11 0 d-----w- c:\users\esther\appdata\roaming\Orca Profiles
2010-06-08 03:02:31 0 d-----w- c:\program files\Orca Browser
2010-06-05 13:46:15 12 ----a-w- c:\users\esther\appdata\roaming\gklupx.dat
2010-06-01 20:13:52 0 d-----w- c:\programdata\Alwil Software
2010-06-01 19:02:45 0 d-----w- c:\programdata\Hitman Pro

==================== Find3M ====================

2010-05-06 20:34:10 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-10 02:42:04 13950 ----a-w- c:\users\esther\appdata\roaming\wklnhst.dat
2009-01-10 20:49:58 174 --sha-w- c:\program files\desktop.ini
2009-01-10 20:44:52 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-01-10 20:44:52 51200 ----a-w- c:\windows\inf\infpub.dat
2009-01-10 20:44:51 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-01-10 20:44:51 86016 ----a-w- c:\windows\inf\infstor.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-11-01 01:02:01 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-11-01 01:02:01 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-11-01 01:02:01 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 19:39:26.07 ===============

**Blade81** · 2010-06-18, 07:00

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

**Gimme a Break - the DVD** · 2010-06-19, 07:56

I can't boot windows in any mode. I get a message: "shutting down to prevent damage".

I'm wondering if this is worth any more time, or should I reinstall?

**Blade81** · 2010-06-19, 09:44

Hi,

If you're ready to reinstall then that would likely be the safest option.

**Blade81** · 2010-06-24, 20:14

Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.

Thread: malware attack, redirect - now can't get safe mode

Thread Tools

Display

malware attack, redirect - now can't get safe mode

Posting Permissions