Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Persistant Malware that wont go away!  (Read 5161 times)

0 Members and 1 Guest are viewing this topic.

midgetoto

    Topic Starter


    Starter

    Persistant Malware that wont go away!
    « on: June 10, 2010, 01:15:26 PM »
    Hi,

    I am having some trouble with some form of infection.  Appromimatly every 10 mins my internet browser opens and new tab and performs a fake virus scan that informs me I have multiple very dangerous infections and must immediatly buy their product if I dont want the world to end!

    I have been following the advice posted in the site forums ("read this before posting") and have so far run scans with Spybot, Malwarebytes and SUPERAntispy.  All of these detect the infection and claim to have removed it from the system.  However, despite being deleated in reappears within the 10 minutes and carries on causing the new tab popup.

    I have the logs for the SUPERantispy and Malwarebytes along with Hijackthis ready to post if someone needs to look at them to help.

    Thanks

    Allan

    • Moderator

    • Mastermind
    • Thanked: 1209
    • Experience: Guru
    • OS: Windows 10

    SuperDave

    • Malware Removal Specialist


    • Genius
    • Thanked: 996
    • Certifications: List
    • Experience: Expert
    • OS: Windows 8
    Re: Persistant Malware that wont go away!
    « Reply #2 on: June 10, 2010, 01:19:23 PM »
    Please copy and paste the logs. We need to see them.
    Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

    midgetoto

      Topic Starter


      Starter

      Re: Persistant Malware that wont go away!
      « Reply #3 on: June 10, 2010, 01:49:04 PM »
      Below are the logs for SUPERspyware and Hijackthis.  On the most recent scan malwarebytes didnt detect anything odd.  However the thing the SUPERspyware detected this time is not the same as previously (this time it was a file... before it was something in the registry).  None of the programs seem to have found anything this time around but it is still there and causing the popups

      Thanks


      SUPERAntiSpyware Scan Log
      http://www.superantispyware.com

      Generated 06/10/2010 at 08:53 PM

      Application Version : 4.38.1004

      Core Rules Database Version : 5056
      Trace Rules Database Version: 2868

      Scan type       : Quick Scan
      Total Scan Time : 00:48:31

      Memory items scanned      : 784
      Memory threats detected   : 0
      Registry items scanned    : 671
      Registry threats detected : 0
      File items scanned        : 15707
      File threats detected     : 1

      Adware.Tracking Cookie
         C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt




      Hijackthis log


      Logfile of Trend Micro HijackThis v2.0.4
      Scan saved at 20:08:56, on 10/06/2010
      Platform: Windows Vista SP2 (WinNT 6.00.1906)
      MSIE: Internet Explorer v8.00 (8.00.6001.18904)
      Boot mode: Normal

      Running processes:
      C:\Windows\system32\Dwm.exe
      C:\Windows\system32\taskeng.exe
      C:\Windows\Explorer.EXE
      C:\Program Files\Windows Defender\MSASCui.exe
      C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
      C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
      C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
      C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
      C:\Windows\RtHDVCpl.exe
      C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
      C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
      C:\Windows\vVX1000.exe
      C:\Program Files\Common Files\Real\Update_OB\realsched.exe
      C:\Windows\System32\rundll32.exe
      C:\Program Files\Synaptics\SynTP\SynToshiba.exe
      C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
      C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
      C:\Program Files\O2\bin\sprtcmd.exe
      C:\Program Files\McAfee.com\Agent\mcagent.exe
      C:\Windows\System32\hkcmd.exe
      C:\Windows\System32\igfxpers.exe
      C:\Program Files\iTunes\iTunesHelper.exe
      C:\Windows\ehome\ehtray.exe
      C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
      C:\Users\robert\Program Files\DNA\btdna.exe
      C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
      C:\Users\robert\AppData\Local\Temp\pdfupd.exe
      C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
      C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
      C:\Program Files\UltraMon\UltraMon.exe
      C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
      C:\Program Files\UltraMon\UltraMonTaskbar.exe
      C:\Windows\system32\igfxsrvc.exe
      C:\Windows\ehome\ehmsas.exe
      C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
      C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
      C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
      C:\Program Files\UltraMon\UltraMonUiAcc.exe
      C:\Program Files\Trend Micro\HiJackThis\sniper.exe.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
      O1 - Hosts: ::1 localhost
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
      O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
      O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
      O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
      O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
      O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
      O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
      O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
      O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
      O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
      O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
      O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
      O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
      O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
      O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
      O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
      O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
      O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
      O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
      O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
      O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
      O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
      O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
      O4 - HKLM\..\Run: [VX1000] C:\Windows\vVX1000.exe
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
      O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
      O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
      O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
      O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
      O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
      O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
      O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
      O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
      O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\robert\Program Files\DNA\btdna.exe"
      O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
      O4 - HKCU\..\Run: [NVidiaCenter] C:\Users\robert\AppData\Local\Temp\pdfupd.exe
      O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
      O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
      O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB0.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; OfficeLivePatch.0.0; .NET CLR 3.0.30729)" -"http://www.nationalexpress.com/coach/index.cfm"
      O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
      O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
      O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
      O4 - Global Startup: UltraMon.lnk = ?
      O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
      O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
      O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
      O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
      O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
      O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
      O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
      O15 - Trusted Zone: http://*.broadband.o2.co.uk
      O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
      O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.mypix.com/importer/newconf/aurigma5.8.1.0/ImageUploader5.cab
      O16 - DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} (IPSUploader4 Control) - https://as.photoprintit.de/ips-opdata/layout/default_cms01/activex/IPSUploader4.cab
      O17 - HKLM\System\CCS\Services\Tcpip\..\{93E8FDD8-D813-4EDF-9BD1-9DF861AE8920}: NameServer = 208.67.220.220,208.67.222.222
      O17 - HKLM\System\CCS\Services\Tcpip\..\{987113E3-2B03-434D-9E8D-CC5033D65A15}: NameServer = 208.67.220.220,208.67.222.222
      O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
      O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
      O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
      O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
      O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
      O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
      O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
      O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
      O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
      O23 - Service: Google Update Service (gupdate1c9ef77113e2db0) (gupdate1c9ef77113e2db0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
      O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
      O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
      O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
      O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
      O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
      O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
      O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
      O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
      O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
      O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
      O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
      O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
      O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
      O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
      O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

      --
      End of file - 14443 bytes
      « Last Edit: June 10, 2010, 02:18:04 PM by midgetoto »

      SuperDave

      • Malware Removal Specialist


      • Genius
      • Thanked: 996
      • Certifications: List
      • Experience: Expert
      • OS: Windows 8
      Re: Persistant Malware that wont go away!
      « Reply #4 on: June 10, 2010, 05:22:58 PM »
      P2P - I see you have P2P software installed on your machine. (BitTorrent) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

      Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

      I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

      ==================================

      Please go to Jotti's malware scan
      (If more than one file needs scanned they must be done separately and links posted for each one)

      * Copy the file path in the below Code box:

      Code: [Select]
      C:\Users\robert\AppData\Local\Temp\pdfupd.exe
      * At the upload site, click once inside the window next to Browse.
      * Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      * Next click Submit file
      * Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      * This will perform a scan across multiple different virus scanning engines.
      * Important: Wait for all of the scanning engines to complete.
      * Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

      ==================================

      Open HijackThis and select Do a system scan only

      Place a check mark next to the following entries: (if there)

      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
      O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

      Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please click the following line also.
      O15 - Trusted Zone: http://*.broadband.o2.co.uk

      Important: Close all open windows except for HijackThis and then click Fix checked.

      Once completed, exit HijackThis.

      ===================================

      Download Security Check by screen317 from one of the following links and save it to your desktop.

      Link 1
      Link 2

      * Unzip SecurityCheck.zip and a folder named Security Check should appear.
      * Open the Security Check folder and double-click Security Check.bat
      * Follow the on-screen instructions inside of the black box.
      * A Notepad document should open automatically called checkup.txt
      * Post the contents of that document in your next reply.

      Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

      ======================================

      Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

      link # 1
      Link # 2

      Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

      Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

      Right-click combofix.exe and select Run as Administrator and follow the prompts.
      When finished, ComboFix will produce a log for you.
      Post the ComboFix log and a new HijackThis log in your next reply.

      NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

      Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

      Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

      midgetoto

        Topic Starter


        Starter

        Re: Persistant Malware that wont go away!
        « Reply #5 on: June 11, 2010, 06:12:34 AM »
        Hi,

        Here are the results of the Jottis Malware Scanner -

        http://virusscan.jotti.org/en-gb/scanresult/4a52a8bad8079ad229b1fd507d166af7fac03ab1/6d9ee1efe1103aed664e10f4a2029428bb10127f

        and the results for the security check by screen317 -

         Results of screen317's Security Check version 0.99.4 
         Windows Vista Service Pack 2 (UAC is enabled)
         Internet Explorer 8 
        ``````````````````````````````
        Antivirus/Firewall Check:

         Windows Firewall Enabled! 
         McAfee SecurityCenter     
         WMI entry may not exist for antivirus; attempting automatic update.
        ```````````````````````````````
        Anti-malware/Other Utilities Check:

         Malwarebytes' Anti-Malware   
         Java(TM) SE Runtime Environment 6
         Adobe Flash Player 10.0.12.36 
        Adobe Reader 7.0.8
        Out of date Adobe Reader installed!
         Mozilla Firefox (3.6.) Firefox Out of Date! 
        ````````````````````````````````
        Process Check: 
        objlist.exe by Laurent

         Windows Defender MSASCui.exe
         McAfee VIRUSS~1 mcshield.exe 
         McAfee VIRUSS~1 mcsysmon.exe 
         Windows Defender MSASCui.exe   
        ````````````````````````````````
        DNS Vulnerability Check:

         GREAT! (Not vulnerable to DNS cache poisoning)

        ``````````End of Log````````````




        and here is the result of the Combofix -

        ComboFix 10-06-10.04 - robert 11/06/2010  12:50:24.1.2 - x86
        Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.1013.347 [GMT 1:00]
        Running from: c:\users\robert\Desktop\ComboFix.exe
        SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
        SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
        SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
        .

        (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
        .

        C:\Autorun.inf
        C:\readme.rtf
        C:\setup.exe
        c:\users\robert\GoToAssistDownloadHelper.exe

        .
        (((((((((((((((((((((((((   Files Created from 2010-05-11 to 2010-06-11  )))))))))))))))))))))))))))))))
        .

        2010-06-11 12:01 . 2010-06-11 12:01   --------   d-----w-   c:\users\robert\AppData\Local\temp
        2010-06-11 12:01 . 2010-06-11 12:01   --------   d-----w-   c:\users\Default\AppData\Local\temp
        2010-06-11 11:45 . 2010-06-11 11:45   --------   d-----w-   C:\32788R22FWJFW
        2010-06-10 19:00 . 2010-06-10 19:00   388096   ----a-r-   c:\users\robert\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
        2010-06-10 19:00 . 2010-06-10 19:00   --------   d-----w-   c:\program files\Trend Micro
        2010-06-10 17:37 . 2010-06-10 17:37   63488   ----a-w-   c:\users\robert\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
        2010-06-10 17:37 . 2010-06-10 17:37   52224   ----a-w-   c:\users\robert\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
        2010-06-10 17:37 . 2010-06-10 17:37   117760   ----a-w-   c:\users\robert\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
        2010-06-10 17:35 . 2010-06-10 17:35   --------   d-----w-   c:\users\robert\AppData\Roaming\SUPERAntiSpyware.com
        2010-06-10 17:35 . 2010-06-10 17:35   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
        2010-06-10 17:35 . 2010-06-10 17:35   --------   d-----w-   c:\program files\SUPERAntiSpyware
        2010-06-10 00:00 . 2010-06-10 00:00   --------   d-----w-   c:\users\robert\AppData\Roaming\Malwarebytes
        2010-06-09 23:57 . 2010-04-29 14:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
        2010-06-09 23:57 . 2010-06-09 23:57   --------   d-----w-   c:\programdata\Malwarebytes
        2010-06-09 23:57 . 2010-06-09 23:58   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
        2010-06-09 23:57 . 2010-04-29 14:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
        2010-06-09 15:54 . 2010-06-09 15:54   --------   d-----w-   c:\program files\Spybot - Search & Destroy
        2010-06-08 05:50 . 2009-05-18 12:17   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
        2010-06-08 05:50 . 2008-04-17 11:12   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
        2010-06-08 05:48 . 2010-06-08 05:48   --------   d-----w-   c:\program files\iPod
        2010-06-08 05:48 . 2010-06-08 09:40   --------   d-----w-   c:\program files\iTunes
        2010-06-08 05:48 . 2010-06-08 05:50   --------   d-----w-   c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
        2010-06-08 05:45 . 2010-06-08 05:46   --------   d-----w-   c:\program files\QuickTime
        2010-06-08 05:35 . 2010-06-08 05:35   --------   d-----w-   c:\program files\Bonjour
        2010-06-08 05:32 . 2010-06-08 05:32   73000   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
        2010-05-26 11:59 . 2010-04-23 14:13   2048   ----a-w-   c:\windows\system32\tzres.dll
        2010-05-24 21:38 . 2010-05-24 21:38   501872   ----a-w-   c:\programdata\Google\Google Toolbar\Update\gtbA19F.tmp.exe

        .
        ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        2010-06-11 12:03 . 2008-11-08 18:32   --------   d-----w-   c:\users\robert\AppData\Roaming\DNA
        2010-06-10 18:07 . 2008-07-17 10:47   --------   d-----w-   c:\programdata\Google Updater
        2010-06-10 17:49 . 2008-11-08 18:34   --------   d-----w-   c:\users\robert\AppData\Roaming\BitTorrent
        2010-06-10 00:18 . 2007-09-11 17:59   --------   d-----w-   c:\users\robert\AppData\Roaming\LimeWire
        2010-06-09 16:36 . 2008-07-23 12:19   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
        2010-06-08 05:48 . 2007-08-13 19:40   --------   d-----w-   c:\program files\Common Files\Apple
        2010-06-07 20:21 . 2010-04-06 20:07   --------   d-----w-   c:\users\robert\AppData\Roaming\EndNote
        2010-06-05 11:22 . 2009-10-12 10:10   --------   d-----w-   c:\program files\Microsoft Silverlight
        2010-06-02 22:13 . 2008-12-17 22:17   --------   d-----w-   c:\users\robert\AppData\Roaming\Skype
        2010-06-02 19:57 . 2008-04-10 20:30   --------   d-----w-   c:\users\robert\AppData\Roaming\skypePM
        2010-05-23 17:58 . 2008-09-18 20:40   138376   ----a-w-   c:\windows\system32\drivers\PnkBstrK.sys
        2010-05-23 17:57 . 2008-09-18 20:39   202448   ----a-w-   c:\windows\system32\PnkBstrB.exe
        2010-05-13 09:19 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
        2010-05-13 09:19 . 2007-07-14 13:09   --------   d-----w-   c:\programdata\Microsoft Help
        2010-05-12 10:21 . 2010-01-31 19:11   221568   ------w-   c:\windows\system32\MpSigStub.exe
        2010-04-29 10:33 . 2007-07-13 21:31   --------   d-----w-   c:\program files\Google
        2010-04-23 14:08 . 2010-04-23 14:08   14331274   ----a-w-   c:\programdata\SupportSoft\o2\SYSTEM\exec\MyO2Upgrade.exe
        2010-04-16 07:33 . 2010-04-16 07:33   41472   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
        2010-04-16 07:33 . 2010-04-16 07:33   3003680   ----a-w-   c:\windows\system32\usbaaplrc.dll
        2010-04-08 12:20 . 2010-04-08 12:20   91424   ----a-w-   c:\windows\system32\dnssd.dll
        2010-04-08 12:20 . 2010-04-08 12:20   107808   ----a-w-   c:\windows\system32\dns-sd.exe
        2010-03-27 17:04 . 2007-07-13 13:24   85816   ----a-w-   c:\users\robert\AppData\Local\GDIPFONTCACHEV1.DAT
        1999-04-06 12:00 . 1999-04-06 12:00   6007808   ----a-r-   c:\program files\rct.ICD
        .

        (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        .
        *Note* empty entries & legit default entries are not shown
        REGEDIT4

        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
        "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-17 68856]
        "BitTorrent DNA"="c:\users\robert\Program Files\DNA\btdna.exe" [2009-11-13 323392]
        "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
        "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2397424]

        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
        "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
        "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-14 411768]
        "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
        "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-14 493688]
        "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-11 530552]
        "NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-07 90191]
        "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-07 7766016]
        "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-07 81920]
        "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
        "RtHDVCpl"="RtHDVCpl.exe" [2006-11-07 3772416]
        "NDSTray.exe"="NDSTray.exe" [BU]
        "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2006-12-15 577536]
        "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
        "VX1000"="c:\windows\vVX1000.exe" [2006-12-05 707360]
        "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
        "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
        "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
        "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
        "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
        "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
        "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
        "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
        "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
        "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

        c:\users\robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
        OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
        wkcalrem.LNK - c:\program files\Common Files\microsoft shared\Works Shared\WkCalRem.exe [2005-8-18 21504]

        c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
        UltraMon.lnk - c:\windows\Installer\{CC15A5FC-B6D3-4A2D-8A26-D8F2702A3C00}\IcoUltraMon.ico [2010-2-9 29310]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
        "EnableUIADesktopToggle"= 0 (0x0)

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
        "aux2"=wdmaud.drv

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
        @=""

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
        @=""

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
        @="Service"

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
        2006-03-30 16:45   313472   ----a-r-   c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
        "DisableMonitoring"=dword:00000001

        [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
        "DisableMonitoring"=dword:00000001

        [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
        "DisableMonitoring"=dword:00000001

        [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
        "DisableMonitoring"=dword:00000001

        [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
        "VistaSp2"=hex(b):14,63,2d,93,de,4f,ca,01

        R2 gupdate1c9ef77113e2db0;Google Update Service (gupdate1c9ef77113e2db0);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 133104]
        R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
        R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
        R3 cdiskdun;cdiskdun;c:\users\robert\AppData\Local\Temp\cdiskdun.sys

        R3 CPWGU(Philips);Philips SNU5600 Wireless USB Adapter 11b/g(Philips);c:\windows\system32\DRIVERS\CPWGU.sys [2007-07-13 408064]
        R3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s115mdfl.sys [2007-04-23 15112]
        R3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s115mdm.sys [2007-04-23 108680]
        R3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s115mgmt.sys [2007-04-23 100488]
        S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
        S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
        S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2007-06-07 202280]
        S2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2008-09-14 10496]
        S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-19 7168]
        S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]

        .
        Contents of the 'Scheduled Tasks' folder

        2010-06-11 c:\windows\Tasks\Google Software Updater.job
        - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-13 19:05]

        2010-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
        - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 18:11]

        2010-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
        - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 18:11]

        2010-03-15 c:\windows\Tasks\McDefragTask.job
        - c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

        2010-06-01 c:\windows\Tasks\McQcTask.job
        - c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

        2010-06-11 c:\windows\Tasks\User_Feed_Synchronization-{D9B30BB4-63C0-47D4-A444-A174F9308500}.job
        - c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
        .
        .
        ------- Supplementary Scan -------
        .
        uStart Page = hxxp://www.google.co.uk/
        uInternet Settings,ProxyOverride = *.local
        IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
        IE: {{C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN
        Trusted Zone: o2.co.uk\*.broadband
        TCP: {93E8FDD8-D813-4EDF-9BD1-9DF861AE8920} = 208.67.220.220,208.67.222.222
        TCP: {987113E3-2B03-434D-9E8D-CC5033D65A15} = 208.67.220.220,208.67.222.222
        DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
        FF - ProfilePath - c:\users\robert\AppData\Roaming\Mozilla\Firefox\Profiles\etwqyu8t.default\
        FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
        FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
        FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
        FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
        FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
        FF - plugin: c:\users\robert\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
        FF - plugin: c:\users\robert\Program Files\DNA\plugins\npbtdna.dll

        ---- FIREFOX POLICIES ----
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
        .
        - - - - ORPHANS REMOVED - - - -

        HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
        HKLM-Run-Lexmark 1200 Series - c:\program files\Lexmark 1200 Series\lxczbmgr.exe



        **************************************************************************

        catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
        Rootkit scan 2010-06-11 13:01
        Windows 6.0.6002 Service Pack 2 NTFS

        scanning hidden processes ... 

        scanning hidden autostart entries ...

        scanning hidden files ... 


        c:\windows\TEMP\TMP0000008A44B7D094B7312105 524288 bytes executable

        scan completed successfully
        hidden files: 1

        **************************************************************************
        .
        --------------------- LOCKED REGISTRY KEYS ---------------------

        [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
        @Denied: (A) (Users)
        @Denied: (A) (Everyone)
        @Allowed: (B 1 2 3 4 5) (S-1-5-20)
        "BlindDial"=dword:00000000
        "MSCurrentCountry"=dword:000000b5

        [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
        @Denied: (A) (Users)
        @Denied: (A) (Everyone)
        @Allowed: (B 1 2 3 4 5) (S-1-5-20)
        "BlindDial"=dword:00000000

        [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
        @Denied: (A) (Users)
        @Denied: (A) (Everyone)
        @Allowed: (B 1 2 3 4 5) (S-1-5-20)
        "BlindDial"=dword:00000000
        .
        Completion time: 2010-06-11  13:07:10
        ComboFix-quarantined-files.txt  2010-06-11 12:07

        Pre-Run: 8,441,253,888 bytes free
        Post-Run: 8,396,492,800 bytes free

        - - End Of File - - 3F353B60A000395DD83E224EDA4B5586


        and another run of  Hijackthis -

        Logfile of Trend Micro HijackThis v2.0.4
        Scan saved at 13:18:00, on 11/06/2010
        Platform: Windows Vista SP2 (WinNT 6.00.1906)
        MSIE: Internet Explorer v8.00 (8.00.6001.18904)
        Boot mode: Normal

        Running processes:
        C:\Windows\system32\Dwm.exe
        C:\Windows\system32\taskeng.exe
        C:\Program Files\Windows Defender\MSASCui.exe
        C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
        C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
        C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
        C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
        C:\Windows\RtHDVCpl.exe
        C:\Program Files\Synaptics\SynTP\SynToshiba.exe
        C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
        C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
        C:\Program Files\McAfee.com\Agent\mcagent.exe
        C:\Windows\System32\hkcmd.exe
        C:\Windows\System32\igfxpers.exe
        C:\Program Files\iTunes\iTunesHelper.exe
        C:\Windows\ehome\ehtray.exe
        C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
        C:\Users\robert\Program Files\DNA\btdna.exe
        C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
        C:\Program Files\UltraMon\UltraMon.exe
        C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
        C:\Program Files\UltraMon\UltraMonTaskbar.exe
        C:\Windows\ehome\ehmsas.exe
        C:\Windows\system32\igfxsrvc.exe
        C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
        C:\Program Files\UltraMon\UltraMonUiAcc.exe
        C:\Windows\system32\wuauclt.exe
        C:\Windows\system32\notepad.exe
        C:\Windows\explorer.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Program Files\Trend Micro\HiJackThis\sniper.exe.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
        O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
        O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
        O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
        O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
        O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
        O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
        O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
        O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
        O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
        O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
        O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
        O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
        O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
        O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
        O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
        O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
        O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
        O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
        O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
        O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
        O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
        O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
        O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
        O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
        O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
        O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
        O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
        O4 - HKLM\..\Run: [VX1000] C:\Windows\vVX1000.exe
        O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
        O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
        O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
        O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
        O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
        O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
        O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
        O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
        O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
        O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
        O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
        O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\robert\Program Files\DNA\btdna.exe"
        O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
        O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
        O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB0.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; OfficeLivePatch.0.0; .NET CLR 3.0.30729)" -"http://www.nationalexpress.com/coach/index.cfm"
        O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
        O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
        O4 - Global Startup: UltraMon.lnk = ?
        O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
        O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
        O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
        O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
        O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
        O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
        O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
        O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
        O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
        O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
        O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.mypix.com/importer/newconf/aurigma5.8.1.0/ImageUploader5.cab
        O16 - DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} (IPSUploader4 Control) - https://as.photoprintit.de/ips-opdata/layout/default_cms01/activex/IPSUploader4.cab
        O17 - HKLM\System\CCS\Services\Tcpip\..\{93E8FDD8-D813-4EDF-9BD1-9DF861AE8920}: NameServer = 208.67.220.220,208.67.222.222
        O17 - HKLM\System\CCS\Services\Tcpip\..\{987113E3-2B03-434D-9E8D-CC5033D65A15}: NameServer = 208.67.220.220,208.67.222.222
        O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
        O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
        O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
        O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
        O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
        O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
        O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
        O23 - Service: Google Update Service (gupdate1c9ef77113e2db0) (gupdate1c9ef77113e2db0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
        O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
        O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
        O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
        O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
        O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
        O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
        O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
        O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
        O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
        O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
        O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
        O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
        O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
        O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
        O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
        O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
        O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

        --
        End of file - 12380 bytes




        Thanks!


        midgetoto

          Topic Starter


          Starter

          Re: Persistant Malware that wont go away!
          « Reply #6 on: June 11, 2010, 09:07:39 AM »
          looks like it has been defeated by something! hasnt reappeared in 2 hours!

          SuperDave

          • Malware Removal Specialist


          • Genius
          • Thanked: 996
          • Certifications: List
          • Experience: Expert
          • OS: Windows 8
          Re: Persistant Malware that wont go away!
          « Reply #7 on: June 12, 2010, 04:30:12 PM »
          Re-running ComboFix to remove infections:

          • Close any open browsers.
          • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
          • Open notepad and copy/paste the text in the quotebox below into it:
            Quote
            KillAll::

            DDS::

            Trusted Zone: o2.co.uk\*.broadband

          • Save this as CFScript.txt, in the same location as ComboFix.exe



          • Referring to the picture above, drag CFScript into ComboFix.exe
          • When finished, it shall produce a log for you at C:\ComboFix.txt
          • I do not need to see the log resulting from this action.
          ===========================

          Download the GMER Rootkit Scanner. Unzip it to your Desktop.

          Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

          Double-click gmer.exe. The program will begin to run.

          **Caution**
          These types of scans can produce false positives. Do NOT take any action on any
          "<--- ROOKIT" entries unless advised!

          If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
          *Click NO
          *In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
          *Now click the Scan button.
          Once the scan is complete, you may receive another notice about rootkit activity.
          *Click OK.
          *]GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
          *Save it where you can easily find it, such as your desktop.
          Post the contents of GMER.txt in your next reply.
          Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender