Jump to content

Security Protection Virus


tieny
 Share

Recommended Posts

My computer just got recently infected what a Fake antivirus program. On the start menu task lower right corner it keeps saying, "TCrdMain.exe can not start. It is infected by W32/Blaster.Worm Please activate security protection to protect your computer." And i can not open internet explorer or task manager either. I rebooted into safe mode and tried to run hijack this, but it says The windows installer service is not accessible in safe mode. I'm running windows 7

Link to comment
Share on other sites

tieny,

 

If you press CTRL ALT DELETE (all at the same time), does Task Manager show?

You may have to do this a couple of times...

 

 

Also, do you have access to another computer, and to a USB flash/thumb drive?

 

Post back with the info, and we will take it from there.

 

Thanks.

Edited by Aaflac
Link to comment
Share on other sites

Let's press on with some instructions...

 

If you cannot download the following program, you may need to use a USB flash drive, or removable media, and a clean computer. However, try the following first:

 

If you cannot get the Internet Explorer browser to open, press Ctrl Alt Delete (simultaneously) to bring up Task Manager (You may need to do this a couple of times.)

 

In Task Manager, go to File, and select: New Task (Run…)

 

In the Create New Task prompt, in the ‘Open’ area, type in or copy /paste:

iexplorer.exe

 

The browser should now open.

 

~~~~

If no-go, in the Create New Task prompt, click: Browse

In the left column of this window, click on the Desktop

In the right column, click on the Browser icon

Press: Open

 

Back at the Create New Task prompt, the address of your browser should appear in the Open area.

Click OK for the browser to open.

 

~~~~

Now, download DDS from one of these locations:

Link 1

 

Link 2

 

 

Save it to a USB flash drive on a clean computer.

 

Move it to the Desktop of the infected computer.

 

Press Ctrl Alt Delete (simultaneously) to bring up Task Manager

 

In Task Manager, go to File, and select: New Task (Run…)

In the Create New Task prompt, in the ‘Open’ area, type in, or copy /paste:

C:\Users\XXXX\Desktop\dds.scr

 

~~~~

Note:

The four Xs represent your User name on the computer. If you are not sure of what path to use, go to the DDS icon on the Desktop. Right-click it, and select Properties.

 

In ‘Location’, there is a path like: C:\Users\XXXX\Desktop, however, the 4 Xs will show your User name.

Make it C:\Users\XXXX\Desktop\dds.scr if you downloaded DDS from Link1, or

C:\Users\XXXX\Desktop\dds.com if you downloaded DDS from Link2.

 

Make sure the ‘XXXX’ is replaced by your User name.

 

Once you type in or copy /paste:

C:\Users\XXXX\Desktop\dds.scr (or C:\Users\XXXX\Desktop\dds.com) in the ‘Open’ area, click: OK

 

DDS should now start running.

 

When done, DDS opens two logs:

-DDS.txt

-Attach.txt

 

Save both reports to your Desktop, and post them in your reply.

 

~~~~

If no-go, move the reports to the USB flash drive, and take them to the clean computer to post in your reply.

Edited by Aaflac
Link to comment
Share on other sites

I'm not able to open internet explorer or task manager in normal mode. I ran DDS in safe mode with networking and here are the results

 

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.7600.16385

Run by thanhhoa at 18:55:47 on 2011-09-15

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.1522 [GMT -7:00]

.

AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\windows\Explorer.EXE

C:\windows\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\windows\system32\conhost.exe

C:\windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: ShoppingReport2: {258c9770-1713-4021-8d7e-1f184a2bd754} - c:\program files\shoppingreport2\bin\2.7.34\ShoppingReport.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.2.11\IPSBHO.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: BandooIEPlugin Class: {eb5cee80-030a-4ed8-8e20-454e9c68380f} - c:\program files\bandoo\plugins\ie\ieplugin.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: ShopperReports: {bdea95cf-f0e6-41e0-bd3d-b00f39a4e939} - c:\program files\shoppingreport2\bin\2.7.34\ShoppingReport.dll

uRun: [MyTOSHIBA] "c:\program files\toshiba\my toshiba\MyToshiba.exe" /AUTO

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [security Protection] c:\programdata\defender.exe

mRun: [<NO NAME>]

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [sVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL

mRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUP

mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe

mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

mRun: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60

mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe

mRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TobuActivation.exe" UNATTENDED

mRun: [ClickPotatoLiteSA] "c:\program files\clickpotatolite\bin\10.0.668.0\ClickPotatoLiteSA.exe"

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office11\REFIEBAR.DLL

IE: {B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} - c:\program files\clickpotatolite\bin\10.0.668.0\ClickPotatoLiteSABHO.dll

IE: {DB38E21A-0133-419d-92AD-ECDFD5244D6D} - {3E2DFD6A-4E20-4d4c-AA8B-E1F9DBEF3C80} - c:\program files\shoppingreport2\bin\2.7.34\ShoppingReport.dll

IE: {EB620C54-E229-4942-87CE-E717109FC8C6} - {714E0876-FCEE-49ce-A429-B9AD8AEFCB56} - c:\program files\shoppingreport2\bin\2.7.34\ShoppingReport.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{2B628043-564D-499C-B681-5AC04A3A786D} : DhcpNameServer = 208.59.247.45 208.59.247.46

TCP: Interfaces\{D8D73E3F-C8B2-45BA-8F0D-0EEE2B29113A} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{D8D73E3F-C8B2-45BA-8F0D-0EEE2B29113A}\355434255445 : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{D8D73E3F-C8B2-45BA-8F0D-0EEE2B29113A}\C494745425 : DhcpNameServer = 192.168.0.1

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.2.11\CoIEPlg.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\bandoo\bndhook.dll

mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP

.

============= SERVICES / DRIVERS ===============

.

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-10-18 167936]

R3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-10-18 376320]

S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]

S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.7.0.30\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.7.0.30\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.7.0.30\ccSvcHst.exe [?]

S2 ScanQuery Service;ScanQuery Service;c:\programdata\scanquery\scanquery183.exe [2011-8-19 26112]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-3-15 183560]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-10-18 171008]

S3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-10-18 51512]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-8-3 111960]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-20 1343400]

.

=============== Created Last 30 ================

.

2011-08-20 03:54:12 862720 ----a-w- c:\programdata\defender.exe

.

==================== Find3M ====================

.

2011-07-22 04:56:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-16 04:37:32 169984 ----a-w- c:\windows\system32\winsrv.dll

2011-07-16 04:34:28 290816 ----a-w- c:\windows\system32\KernelBase.dll

2011-07-16 04:31:12 271360 ----a-w- c:\windows\system32\conhost.exe

2011-07-16 02:21:47 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-07-16 02:21:47 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 02:21:47 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 02:21:47 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-07-09 02:26:10 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-06-23 04:38:05 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-06-23 04:38:04 3902336 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-06-21 05:39:53 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-06-21 05:36:36 981504 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 05:35:05 44544 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-21 04:26:02 386048 ----a-w- c:\windows\system32\html.iec

.

============= FINISH: 18:57:04.16 ===============

 

 

 

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 11/13/2009 4:43:46 PM

System Uptime: 9/15/2011 6:37:06 PM (0 hours ago)

.

Motherboard: TOSHIBA | | NBWAA

Processor: Intel® Celeron® CPU 900 @ 2.20GHz | U2E1 | 2194/mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 223 GiB total, 190.29 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: Security Processor Loader Driver

Device ID: ROOT\LEGACY_SPLDR\0000

Manufacturer:

Name: Security Processor Loader Driver

PNP Device ID: ROOT\LEGACY_SPLDR\0000

Service: spldr

.

==== System Restore Points ===================

.

RP39: 11/4/2010 10:32:58 PM - Windows Update

RP40: 11/9/2010 8:25:54 PM - Windows Update

RP41: 11/24/2010 10:52:35 PM - Windows Update

RP42: 12/15/2010 9:26:45 PM - Windows Update

RP43: 12/19/2010 5:46:16 PM - Windows Update

RP44: 1/11/2011 8:57:23 PM - Windows Update

RP45: 1/13/2011 9:24:55 PM - Windows Update

RP46: 2/3/2011 9:26:21 PM - Windows Update

RP47: 2/9/2011 8:37:57 PM - Windows Update

RP48: 2/23/2011 1:02:35 PM - Windows Update

RP49: 3/9/2011 7:41:53 PM - Windows Update

RP50: 3/18/2011 10:20:13 PM - Windows Update

RP51: 3/23/2011 8:39:30 PM - Windows Update

RP52: 4/4/2011 2:08:25 PM - Windows Update

RP53: 4/13/2011 8:41:32 PM - Windows Update

RP54: 4/21/2011 4:30:52 PM - Windows Update

RP55: 4/27/2011 8:22:17 PM - Windows Update

RP56: 5/12/2011 4:41:35 PM - Windows Update

RP57: 5/19/2011 7:24:36 PM - Windows Update

RP58: 5/25/2011 9:56:16 PM - Windows Update

RP59: 6/19/2011 8:51:42 PM - Scheduled Checkpoint

RP60: 6/19/2011 9:29:03 PM - Windows Update

RP61: 6/29/2011 5:16:25 PM - Windows Update

RP62: 7/13/2011 10:11:43 PM - Windows Update

RP63: 8/12/2011 9:08:40 PM - Windows Update

RP64: 8/19/2011 8:54:34 PM - Windows Update

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

Adobe Flash Player 10 ActiveX

Adobe Reader 9.1

Bandoo

Bing Bar

Bing Rewards Client Installer

blinkx beat

ClickPotato

Compatibility Pack for the 2007 Office system

Google Toolbar for Internet Explorer

Google Update Helper

Intel® Graphics Media Accelerator Driver

Intel® Matrix Storage Manager

Java 6 Update 14

Junk Mail filter update

Label@Once 1.0

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Professional Edition 2003

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Suite Activation Assistant

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

MSVCRT

MyToshiba

NetZero Launcher

Norton Internet Security

PlayReady PC Runtime x86

Quickbooks Financial Center

Realtek 8136 8168 8169 Ethernet Driver

Realtek High Definition Audio Driver

Realtek USB 2.0 Card Reader

Realtek WLAN Driver

ScanQuery 1.0 build 183 powered by FIRST SEARCH BAR

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB2509488)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft Office 2007 System (KB2541012)

Security Update for Microsoft Office Excel 2007 (KB2541007)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB2535818)

Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

ShopperReports

Skype Launcher

Synaptics Pointing Device Driver

Toshiba Application and Driver Installer

TOSHIBA Assist

TOSHIBA ConfigFree

TOSHIBA Disc Creator

TOSHIBA DVD PLAYER

TOSHIBA Extended Tiles for Windows Mobility Center

TOSHIBA Flash Cards Support Utility

TOSHIBA Hardware Setup

TOSHIBA HDD/SSD Alert

Toshiba Online Backup

Toshiba Quality Application

TOSHIBA Recovery Media Creator

TOSHIBA Service Station

TOSHIBA Speech System Applications

TOSHIBA Speech System SR Engine(U.S.) Version1.0

TOSHIBA Speech System TTS Engine(U.S.) Version1.0

TOSHIBA Supervisor Password

TOSHIBA Value Added Package

ToshibaRegistration

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 System (KB2539530)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Utility Common Driver

WildTangent Games

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Mail

Windows Live Messenger

Windows Live Photo Gallery

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

.

==== Event Viewer Messages From Past Week ========

.

9/15/2011 6:54:05 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

9/15/2011 6:52:08 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

9/15/2011 6:37:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

9/15/2011 6:37:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

9/15/2011 6:37:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

9/15/2011 6:37:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

9/15/2011 6:37:27 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr SRTSP SRTSPX Wanarpv6

9/15/2011 6:35:04 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SRTSP SRTSPX

9/15/2011 6:34:58 PM, Error: Service Control Manager [7000] - The Norton Internet Security service failed to start due to the following error: The system cannot find the file specified.

9/15/2011 5:59:09 PM, Error: Service Control Manager [7034] - The ScanQuery Service service terminated unexpectedly. It has done this 1 time(s).

9/15/2011 5:46:04 PM, Error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).

9/15/2011 5:43:02 PM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

9/15/2011 5:40:01 PM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

9/14/2011 8:36:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

.

==== End Of File ===========================

Link to comment
Share on other sites

tieny,

 

My apology for the delay.

 

Let's go this route:

 

If you have ComboFix (CF) already on your Desktop, please remove it. We'll download an updated version.

Use Safe Mode with Networking if necessary.

 

Download ComboFix

 

Save ComboFix.exe to your Desktop!!

 

Make sure you continue to temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.

 

 

Right-click on ComboFix.exe and select: Run as Administrator

 

Click on Yes, to continue scanning for malware.

 

When finished, CF produces a report.

 

Please provide a copy of the C:\ComboFix.txt in your reply.

 

Thanks.

Link to comment
Share on other sites

ComboFix 11-09-17.06 - thanhhoa 09/18/2011 9:37.1.1 - x86 NETWORK

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.1387 [GMT -7:00]

Running from: c:\users\thanhhoa\Desktop\ComboFix.exe

AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\Blinkx

c:\program files\Blinkx\blinkx.ico

c:\program files\Blinkx\blinkxss.exe

c:\program files\Blinkx\blinkxstop.exe

c:\program files\Blinkx\lang.dll

c:\program files\Blinkx\templates\beat.ico

c:\program files\Blinkx\templates\index.html

c:\program files\Blinkx\templates\noflash.html

c:\program files\Blinkx\templates\offline.html

c:\program files\Blinkx\templates\offline.swf

c:\program files\Blinkx\templates\uninstall.exe

c:\program files\ClickPotatoLite

c:\program files\ClickPotatoLite\bin\10.0.668.0\ClickPotatoLiteSA.exe

c:\program files\ClickPotatoLite\bin\10.0.668.0\ClickPotatoLiteSAAX.dll

c:\program files\ClickPotatoLite\bin\10.0.668.0\ClickPotatoLiteSABHO.dll

c:\program files\ClickPotatoLite\bin\10.0.668.0\ClickPotatoLiteSAHook.dll

c:\program files\ClickPotatoLite\bin\10.0.668.0\ClickPotatoLiteUninstaller.exe

c:\program files\ClickPotatoLite\bin\10.0.668.0\firefox\extensions\install.rdf

c:\program files\ClickPotatoLite\bin\10.0.668.0\firefox\extensions\plugins\npclntax_ClickPotatoLiteSA.dll

c:\program files\ScanQuery

c:\program files\ScanQuery\scanquery.dll

c:\program files\ScanQuery\scanquery.exe

c:\program files\ScanQuery\uninstall.exe

c:\program files\ShoppingReport2

c:\program files\ShoppingReport2\Bin\2.7.34\ShoppingReport.dll

c:\program files\ShoppingReport2\Uninst.exe

c:\programdata\2ACA5CC3-0F83-453D-A079-1076FE1A8B65

c:\programdata\ClickPotatoLiteSA

c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSA.dat

c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSA_kyf.dat

c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSAAbout.mht

c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSAau.dat

c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSAEULA.mht

c:\programdata\defender.exe

c:\programdata\Microsoft\Windows\Start Menu\Programs\ClickPotato

c:\programdata\Microsoft\Windows\Start Menu\Programs\ClickPotato\About Us.lnk

c:\programdata\Microsoft\Windows\Start Menu\Programs\ClickPotato\ClickPotato Customer Support.lnk

c:\programdata\Microsoft\Windows\Start Menu\Programs\ClickPotato\ClickPotato Uninstall Instructions.lnk

c:\programdata\ScanQuery

c:\programdata\ScanQuery\scanquery183.exe

c:\programdata\xp

c:\programdata\xp\EBLib.dll

c:\programdata\xp\TPwSav.sys

c:\users\Public\Desktop\Security Protection.lnk

c:\users\thanhhoa\AppData\Roaming\ClickPotatoLite

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_ScanQuery Service

.

.

((((((((((((((((((((((((( Files Created from 2011-08-19 to 2011-09-19 )))))))))))))))))))))))))))))))

.

.

2011-09-18 16:42 . 2011-09-18 16:42 -------- d-----w- c:\users\thanhhoa\AppData\Local\temp

2011-09-18 16:42 . 2011-09-18 16:42 -------- d-----w- c:\users\Default\AppData\Local\temp

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-22 04:56 . 2011-08-12 16:29 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-16 04:37 . 2011-08-12 16:29 169984 ----a-w- c:\windows\system32\winsrv.dll

2011-07-16 04:34 . 2011-08-12 16:29 290816 ----a-w- c:\windows\system32\KernelBase.dll

2011-07-16 04:31 . 2011-08-12 16:29 271360 ----a-w- c:\windows\system32\conhost.exe

2011-07-16 04:19 . 2011-08-12 16:29 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll

2011-07-16 02:21 . 2011-08-12 16:29 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-07-16 02:21 . 2011-08-12 16:29 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 02:21 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 02:21 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-07-09 02:26 . 2011-08-12 16:29 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-06-23 04:38 . 2011-08-12 16:30 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-06-23 04:38 . 2011-08-12 16:30 3902336 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-06-21 05:39 . 2011-08-12 16:29 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-06-21 05:36 . 2011-08-12 16:29 981504 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 05:35 . 2011-08-12 16:29 44544 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-21 04:26 . 2011-08-12 16:29 386048 ----a-w- c:\windows\system32\html.iec

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MyTOSHIBA"="c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe" [2009-08-06 264048]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-03 39408]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]

"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2009-07-10 352256]

"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2009-06-02 425984]

"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]

"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]

"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]

"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]

"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-08-04 611672]

"NortonOnlineBackupReminder"="c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\Bandoo\BndHook.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

.

R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 135664]

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe [x]

R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-16 183560]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 135664]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-17 171008]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

R3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-04 111960]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-21 1343400]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]

S3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]

2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 21:59]

.

2011-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 21:59]

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html

TCP: DhcpNameServer = 192.168.0.1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

HKLM-Run-ClickPotatoLiteSA - c:\program files\ClickPotatoLite\bin\10.0.668.0\ClickPotatoLiteSA.exe

AddRemove-ScanQuery - c:\program files\ScanQuery\uninstall.exe

AddRemove-blinkx beat - c:\program files\Blinkx\templates\uninstall.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.0.30\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\conhost.exe

c:\windows\helppane.exe

.

**************************************************************************

.

Completion time: 2011-09-18 18:37:29 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-19 01:37

.

Pre-Run: 204,218,441,728 bytes free

Post-Run: 203,943,870,464 bytes free

.

- - End Of File - - 684F91E6F3694B22C895977FECAB54D2

Link to comment
Share on other sites

tieny,

 

Let's do the following:

 

1. Please continue to disable (temporarily) all AntiVirus and AntiMalware programs so they do not interfere with the running of ComboFix.

 

2. Open Notepad, click the Format menu, uncheck Word Wrap, and then copy/paste the text in the code box below to it:

 

 

KILLALL::

Folder::
c:\program files\bandoo

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}]

 

Save to your Desktop as CFScript.txt

 

2. Close all open windows.

 

3. Referring to the picture below, drag CFScript into ComboFix.exe

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

When finished, it will produce a log for you at "C:\ComboFix.txt"

 

Note: Do not mouse-click the ComboFix window while it is running. It may cause CF to stall.

 

4. When done, please post the Combofix.txt in your reply.

 

 

Please update on the following:

Are you still getting "TCrdMain.exe can not start. It is infected by W32/Blaster.Worm Please activate Security Protection to protect your computer."?

 

Can you open Internet Explorer and Task Manager ?

Link to comment
Share on other sites

I can now open internet explorer and task manager

 

 

ComboFix 11-09-17.06 - thanhhoa 09/19/2011 7:59.2.1 - x86 NETWORK

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.1443 [GMT -7:00]

Running from: c:\users\thanhhoa\Desktop\ComboFix.exe

Command switches used :: c:\users\thanhhoa\Desktop\CFScript.txt

AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\bandoo

c:\program files\bandoo\Bandoo.exe

c:\program files\bandoo\BandooGo.exe

c:\program files\bandoo\BandooRes.dll

c:\program files\bandoo\BandooUI.exe

c:\program files\bandoo\BndCore.exe

c:\program files\bandoo\BndHook.dll

c:\program files\bandoo\CrashRpt.dll

c:\program files\bandoo\ExtensionsManager.exe

c:\program files\bandoo\FFSettings.exe

c:\program files\bandoo\FlashAnimator.dll

c:\program files\bandoo\GIFAnimator.dll

c:\program files\bandoo\INSTALL.LOG

c:\program files\bandoo\InstallerHelper.dll

c:\program files\bandoo\libungif4.dll

c:\program files\bandoo\license.rtf

c:\program files\bandoo\Plugins.ini

c:\program files\bandoo\Plugins\IE\ieplugin.dll

c:\program files\bandoo\Plugins\IE\Resources\bandoo.js

c:\program files\bandoo\Plugins\IE\Resources\HTML\blank.html

c:\program files\bandoo\Plugins\IE\Resources\HTML\error.html

c:\program files\bandoo\Plugins\MSN\msnplugin.dll

c:\program files\bandoo\Plugins\MSN\Resources\HTML\blank.html

c:\program files\bandoo\Plugins\MSN\Resources\HTML\error.html

c:\program files\bandoo\Plugins\MSN\Resources\Toolbar\BandooToolbar.xml

c:\program files\bandoo\Plugins\MSN\Resources\Toolbar\Images\1001.dat

c:\program files\bandoo\Plugins\MSN\Resources\Toolbar\Images\1002.dat

c:\program files\bandoo\Plugins\MSN\Resources\Toolbar\Images\1003.dat

c:\program files\bandoo\Plugins\MSN\Resources\Toolbar\Images\1004.dat

c:\program files\bandoo\Plugins\MSN\Resources\Toolbar\Images\1005.dat

c:\program files\bandoo\Plugins\MSN\Resources\Toolbar\Images\1006.dat

c:\program files\bandoo\Plugins\MSN\Resources\Toolbar\Images\1011.dat

c:\program files\bandoo\Plugins\MSN\Resources\Toolbar\Images\1012.dat

c:\program files\bandoo\Plugins\MSN\Resources\Toolbar\Images\1013.dat

c:\program files\bandoo\Plugins\MSN\Resources\Toolbar\Images\1014.dat

c:\program files\bandoo\Plugins\Yahoo\Resources\HTML\blank.html

c:\program files\bandoo\Plugins\Yahoo\Resources\HTML\error.html

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\BandooToolbar.xml

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\BandooToolbarV9.xml

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1001.dat

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1002.dat

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1003.dat

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1004.dat

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1005.dat

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1006.dat

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1051.dat

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1052.dat

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1053.dat

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1054.dat

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1055.dat

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1056.dat

c:\program files\bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1057.dat

c:\program files\bandoo\Plugins\Yahoo\YahooPlugin.dll

c:\program files\bandoo\PreUninstall.exe

c:\program files\bandoo\Resources\BandooMessages.xml

c:\program files\bandoo\Resources\downloading.gif

c:\program files\bandoo\Resources\nudge0.wav

c:\program files\bandoo\Resources\nudge1.wav

c:\program files\bandoo\Resources\nudge2.wav

c:\program files\bandoo\Resources\nudge3.wav

c:\program files\bandoo\Resources\nudge4.wav

c:\program files\bandoo\Resources\nudge5.wav

c:\program files\bandoo\Resources\tutorial\images\bottomBg.gif

c:\program files\bandoo\Resources\tutorial\images\close.gif

c:\program files\bandoo\Resources\tutorial\images\contentBg.gif

c:\program files\bandoo\Resources\tutorial\images\installation_page_frame.swf

c:\program files\bandoo\Resources\tutorial\images\screen.jpg

c:\program files\bandoo\Resources\tutorial\images\startMenuTopText.gif

c:\program files\bandoo\Resources\tutorial\images\topBg.gif

c:\program files\bandoo\Resources\tutorial\images\what_next.gif

c:\program files\bandoo\Resources\tutorial\tutorial.html

c:\program files\bandoo\UNWISE.EXE

.

.

((((((((((((((((((((((((( Files Created from 2011-08-20 to 2011-09-20 )))))))))))))))))))))))))))))))

.

.

2011-09-19 15:05 . 2011-09-19 15:05 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS

2011-09-19 15:05 . 2011-09-19 15:05 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS

2011-09-19 15:05 . 2011-09-19 15:05 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS

2011-09-19 15:05 . 2011-09-19 15:05 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS

2011-09-19 15:05 . 2011-09-19 15:05 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS

2011-09-19 15:05 . 2011-09-19 15:05 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS

2011-09-19 15:05 . 2011-09-19 15:05 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS

2011-09-19 15:05 . 2011-09-19 15:05 8288 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS

2011-09-19 15:05 . 2011-09-19 15:05 6910 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS

2011-09-19 15:05 . 2011-09-19 15:05 6208 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS

2011-09-19 15:05 . 2011-09-19 15:05 18541 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS

2011-09-19 15:05 . 2011-09-19 15:05 1651 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS

2011-09-19 15:04 . 2011-09-19 15:04 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS

2011-09-19 15:04 . 2011-09-19 15:04 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS

2011-09-19 15:04 . 2011-09-19 15:04 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS

2011-09-19 15:04 . 2011-09-19 15:04 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS

2011-09-19 15:04 . 2011-09-19 15:04 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS

2011-09-19 15:04 . 2011-09-20 01:31 -------- d-----w- c:\users\thanhhoa\AppData\Local\temp

2011-09-19 15:04 . 2011-09-19 15:04 -------- d-----w- c:\users\Default\AppData\Local\temp

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-22 04:56 . 2011-08-12 16:29 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-16 04:37 . 2011-08-12 16:29 169984 ----a-w- c:\windows\system32\winsrv.dll

2011-07-16 04:34 . 2011-08-12 16:29 290816 ----a-w- c:\windows\system32\KernelBase.dll

2011-07-16 04:31 . 2011-08-12 16:29 271360 ----a-w- c:\windows\system32\conhost.exe

2011-07-16 04:19 . 2011-08-12 16:29 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll

2011-07-16 04:19 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll

2011-07-16 02:21 . 2011-08-12 16:29 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-07-16 02:21 . 2011-08-12 16:29 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 02:21 . 2011-08-12 16:29 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 02:21 . 2011-08-12 16:29 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-07-09 02:26 . 2011-08-12 16:29 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-06-23 04:38 . 2011-08-12 16:30 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-06-23 04:38 . 2011-08-12 16:30 3902336 ----a-w- c:\windows\system32\ntoskrnl.exe

.

.

((((((((((((((((((((((((((((( SnapShot@2011-09-19_01.34.07 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-11-14 01:31 . 2011-09-16 00:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-11-14 01:31 . 2011-09-19 15:07 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-07-14 04:34 . 2011-09-19 15:07 12368 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat

- 2009-11-14 01:31 . 2011-09-16 00:40 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-11-14 01:31 . 2011-09-19 15:07 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2009-11-14 01:31 . 2011-09-16 00:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-11-14 01:31 . 2011-09-19 15:07 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2009-11-13 20:41 . 2011-09-16 00:44 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-11-13 20:41 . 2011-09-19 15:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-11-13 20:41 . 2011-09-19 15:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2009-11-13 20:41 . 2011-09-16 00:44 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2011-09-19 02:02 . 2011-09-19 02:02 8192 c:\windows\System32\Microsoft\Protect\Recovery\Recovery.dat

+ 2011-09-16 01:34 . 2011-09-19 15:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2011-09-16 01:34 . 2011-09-18 16:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2011-09-16 01:34 . 2011-09-18 16:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2011-09-16 01:34 . 2011-09-19 15:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2009-11-16 03:58 . 2011-09-20 01:30 227670 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin

- 2009-07-14 02:05 . 2011-09-16 00:42 624178 c:\windows\System32\perfh009.dat

+ 2009-07-14 02:05 . 2011-09-19 15:08 624178 c:\windows\System32\perfh009.dat

- 2009-07-14 02:05 . 2011-09-16 00:42 106522 c:\windows\System32\perfc009.dat

+ 2009-07-14 02:05 . 2011-09-19 15:08 106522 c:\windows\System32\perfc009.dat

+ 2009-07-14 02:03 . 2011-09-20 01:31 7077888 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT

- 2009-07-14 02:03 . 2011-08-20 03:58 7077888 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT

+ 2011-05-20 02:30 . 2011-09-19 15:09 127929941 c:\windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MyTOSHIBA"="c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe" [2009-08-06 264048]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-03 39408]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]

"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2009-07-10 352256]

"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2009-06-02 425984]

"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]

"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]

"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]

"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]

"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-08-04 611672]

"NortonOnlineBackupReminder"="c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 135664]

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe [x]

R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-16 183560]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 135664]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-17 171008]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-21 1343400]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]

S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]

S3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]

S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-04 111960]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]

2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 21:59]

.

2011-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 21:59]

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html

TCP: DhcpNameServer = 192.168.0.1

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-Bandoo - c:\program files\Bandoo\PreUninstall.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.0.30\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft\BingBar\SeaPort.EXE

c:\windows\system32\TODDSrv.exe

c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\servicing\TrustedInstaller.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Synaptics\SynTP\SynTPHelper.exe

c:\windows\system32\igfxext.exe

c:\program files\TOSHIBA\ConfigFree\NDSTray.exe

c:\windows\system32\DllHost.exe

c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe

c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

c:\windows\system32\taskhost.exe

.

**************************************************************************

.

Completion time: 2011-09-19 18:34:53 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-20 01:34

ComboFix2.txt 2011-09-19 01:37

.

Pre-Run: 203,997,868,032 bytes free

Post-Run: 203,568,263,168 bytes free

.

- - End Of File - - 247F4EE52E55C0EC4A36D628C47DDD75

Link to comment
Share on other sites

Let's do one more 'cleansing' scan to remove any remnants that may be lurking, by running the ESET Online Scanner:

 

Continue to disable your AntiVirus program and any AntiSpyware programs while performing the scan. It will preclude conflicts, and will speed up scan time.

 

Since you are using Windows Seven to perform this scan, go to Start button, look for the browser icon, right-click it and select: 'Run as administrator.

 

In the browser address bar, copy paste the following:

http://www.eset.com/us/online-scanner

Press the ESET Online Scanner button

  • In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
  • Allow the ActiveX to download, and click: 'Install'
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click Scan
  • Wait for the scan to finish
  • If any threats are found, click the 'List of found threats', then click Export to text file....
  • Save the file to your desktop as: ESET Scan.

Please provide the contents of the ESET Scan in your reply.

 

Thanks.

Link to comment
Share on other sites

C:\Qoobox\Quarantine\C\Program Files\Bandoo\Bandoo.exe.vir a variant of Win32/Adware.Bandoo.AA application

C:\Qoobox\Quarantine\C\Program Files\Bandoo\BandooGo.exe.vir a variant of Win32/Adware.Bandoo.AA application

C:\Qoobox\Quarantine\C\Program Files\Bandoo\BandooUI.exe.vir a variant of Win32/Adware.Bandoo.AA application

C:\Qoobox\Quarantine\C\Program Files\Bandoo\BndCore.exe.vir a variant of Win32/Adware.Bandoo.AA application

C:\Qoobox\Quarantine\C\Program Files\Bandoo\ExtensionsManager.exe.vir a variant of Win32/Adware.Bandoo.AA application

C:\Qoobox\Quarantine\C\Program Files\Bandoo\InstallerHelper.dll.vir a variant of Win32/Adware.Bandoo.AA application

C:\Qoobox\Quarantine\C\Program Files\Bandoo\Plugins\IE\ieplugin.dll.vir a variant of Win32/Adware.Bandoo.AA application

C:\Qoobox\Quarantine\C\Program Files\Bandoo\Plugins\MSN\msnplugin.dll.vir a variant of Win32/Adware.Bandoo.AA application

C:\Qoobox\Quarantine\C\Program Files\Bandoo\Plugins\Yahoo\YahooPlugin.dll.vir a variant of Win32/Adware.Bandoo.AA application

C:\Qoobox\Quarantine\C\Program Files\ClickPotatoLite\bin\10.0.668.0\ClickPotatoLiteSA.exe.vir probably a variant of Win32/Adware.180Solutions application

C:\Qoobox\Quarantine\C\Program Files\ClickPotatoLite\bin\10.0.668.0\ClickPotatoLiteSAAX.dll.vir probably a variant of Win32/Adware.HotBar.E application

C:\Qoobox\Quarantine\C\Program Files\ClickPotatoLite\bin\10.0.668.0\ClickPotatoLiteUninstaller.exe.vir probably a variant of Win32/Adware.HotBar.E application

C:\Qoobox\Quarantine\C\Program Files\ClickPotatoLite\bin\10.0.668.0\firefox\extensions\plugins\npclntax_ClickPotatoLiteSA.dll.vir a variant of Win32/Adware.HotBar.J application

C:\Qoobox\Quarantine\C\Program Files\ScanQuery\scanquery.dll.vir probably a variant of Win32/Adware.MVNRZUR application

C:\Qoobox\Quarantine\C\Program Files\ScanQuery\scanquery.exe.vir a variant of Win32/Adware.OneStep.AI application

C:\Qoobox\Quarantine\C\Program Files\ShoppingReport2\Bin\2.7.34\ShoppingReport.dll.vir Win32/Adware.Toolbar.Shopper.AB application

C:\Qoobox\Quarantine\C\ProgramData\defender.exe.vir a variant of Win32/Kryptik.RWY trojan

C:\Qoobox\Quarantine\C\ProgramData\ScanQuery\scanquery183.exe.vir a variant of Win32/Adware.OneStep.AI application

C:\Users\thanhhoa\Downloads\XvidSetup.exe a variant of Win32/Adware.HotBar.H application

Link to comment
Share on other sites

tieny,

 

Please search for and remove the following entry found on the ESET Scan:

C:\Users\thanhhoa\Downloads\XvidSetup.exe

 

The rest of the entries are in the ComboFix Qoobox, and, we will take care of them when we wrap up.

 

 

 

On the issues that were of concern on your initial post:

 

1. TCrdMain.exe can not start. It is infected by W32/Blaster.Worm Please activate security protection to protect your computer."

2. Cannot open Internet Explorer

3. Cannot open Task Manager

 

Are they still happening, and, are you having any more malware problems?

 

 

 

Also, please download and run the following:

 

Download TFC to your Desktop.

  • Save any work in progress!! TFC closes open applications and removes unsaved work!.
  • Right-click TFC.exe and select: Run as Administrator
  • If prompted, click "Yes" to reboot.

Last, download Security Check

 

Save it to the Desktop.

Right-click SecurityCheck.exe and select: Run as Administrator

Follow the on-screen instructions (on the black screen)

When done, a Notepad document opens automatically: checkup.txt

 

Please post the contents of checkup.txt in your reply.

Link to comment
Share on other sites

All the problems are gone,

 

Results of screen317's Security Check version 0.99.7

Windows 7 (UAC is enabled)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

Norton Internet Security

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Java 6 Update 14

Out of date Java installed!

Adobe Flash Player

Adobe Reader 9.1

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Link to comment
Share on other sites

If the computer is runnning well, you are good to go.

 

The next step is important, as it will implement important cleanup procedures, reset your System Restore by flushing out previous restore points (which contain the infections), and create a new restore point.

 

Click Start > Run and copy/paste, the following bolded text into the Run box and click OK:

 

ComboFix /uninstall

 

ComboFix will uninstall itself from your computer and remove its backups and quarantined files.

When it has finished you will see a dialog box stating that ComboFix has been uninstalled.

 

You can now delete the ComboFix program icon from your Desktop, if still there.

 

Also, remove from your Desktop any other programs we have used, and any folders or reports created by them.

 

Make sure you re-enable any security programs that were temporarily disabled.

 

 

 

The following tasks need attention:

 

Please verify the version of Java you have installed:

http://www.java.com/en/download/installed.jsp

 

If your version of Java is outdated, it needs to be updated to eliminate security vulnerabilities.

When done, uninstall older versions:

http://www.java.com/en/download/uninstall.jsp

 

 

 

 

Consider doing the following to prevent future infections...

 

Malware is normally installed through vulnerabilities found in out-dated and insecure programs on a computer. You can use the Secunia Personal Software Inspector to scan for vulnerable programs on your computer:

http://secunia.com/vulnerability_scanning/personal/

 

A tutorial on how to use the program is found here:

http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/

 

 

Surf safely, tieny!!

Link to comment
Share on other sites

 Share

×
×
  • Create New...