Author Topic: i.e. 9 (only) freezes - several trojans  (Read 4349 times)

0 Members and 1 Guest are viewing this topic.

Offline Temmu

  • The Assimilator
  • Hero Member
  • *****
  • Posts: 5404
    • View Profile
    • gooooooooogle
i.e. 9 (only) freezes - several trojans
« on: November 14, 2012, 09:17:52 PM »
greets, o great and mighty landzdown heroes!
we grovel at thy feet with this our lowly request,
"help!"

hardware:  sony vaio vgn-sr390 laptop. vista. i.e.9.

actions, so far:
removed 2 trojans w/ kaspersky rescue
removed 2 other trojans w/ superantispyware
- s.a.s also removed 160 pup search craps.

symptoms:
chrome browses internet freely - no problems
i.e. 9 opens in google, browses to the 1st page or 2 of a web site then freezes. it can be closed.
i.e. 9 displayed a message, "unknown program wants to make google your default home page" - but it already was.

thanks for looking into this.

logs, as requested:

attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-07.01)
.
Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume2
Install Date: 3/12/2009 2:16:43 PM
System Uptime: 11/14/2012 4:48:48 PM (0 hours ago)
.
Motherboard: Sony Corporation |  | VAIO
Processor: Intel(R) Core(TM)2 Duo CPU     T6400  @ 2.00GHz | N/A | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 366 GiB total, 266.737 GiB free.
D: is Removable
E: is Removable
H: is CDROM ()
Q: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Officejet 4500 G510n-z
Device ID: ROOT\IMAGE\0000
Manufacturer: Hewlett-Packard
Name: Officejet 4500 G510n-z
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Officejet 4500 G510n-z
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet 4500 G510n-z
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
.
==== Hosts File Hijack ======================
.
Hosts: 127.0.0.1  ads.mcafee.com
Hosts: 127.0.0.1  analytics.microsoft.com
Hosts: 127.0.0.1  metrics.bitdefender.com
Hosts: 127.0.0.1  metrics.mcafee.com
Hosts: 127.0.0.1  om.symantec.com
Hosts: 127.0.0.1  ads.bleepingcomputer.com
Hosts: 127.0.0.1  wdcs.trendmicro.com
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
4500_G510nz_Help
4500G510nz
4500G510nz_Software_Min
Adobe Flash Player 11 ActiveX
Adobe Flash Player Plugin
Adobe Reader 9.5.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft WebCam Companion 2
avast! Free Antivirus
Bonjour
BufferChm
Click to Disc
Click to Disc Editor
Compatibility Pack for the 2007 Office system
Destinations
DeviceDiscovery
DocMgr
DocProc
EarthLink Access Software
EarthLink Common Authentication
EarthLink Simple Switch
EarthLink Toolbar
Fax
Funmoods on IE and Chrome
Google Chrome
Google Update Helper
HDAUDIO SoftV92 Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Document Manager 2.0
HP Imaging Device Functions 13.0
HP Officejet 4500 G510n-z
iCloud
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless WiFi Software
iTunes
Java Auto Updater
Java(TM) 6 Update 23
Java(TM) SE Runtime Environment 6
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Microsoft XML Parser
MobileMe Control Panel
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Transfer
Network
OCR Software by I.R.I.S. 13.0
OGA Notifier 2.0.0048.0
OpenOffice.org 3.1
PANTECH UM175 Driver
Patterson EagleSoft
PriceGong 2.5.0
Primo
Protector Suite QL 5.6
QuickTime
Realtek High Definition Audio Driver
Retrogamer toolbar
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio Easy Media Creator 10 LJ
Roxio Easy Media Creator Home
Safari
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Setting Utility Series
Sony Picture Utility
Spelling Dictionaries Support For Adobe Reader 9
Status
SUPERAntiSpyware
Synaptics Pointing Device Driver
Toolbox
TrayApp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
VAIO Control Center
VAIO Data Restore Tool
VAIO DVD Menu Data Basic
VAIO Event Service
VAIO Help and Support
VAIO Mode Switch
VAIO OOBE and Welcome Center
VAIO Power Management
VAIO Presentation Support
VAIO Update 4
VAIO Wallpaper Contents
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VZAccess Manager
WebReg
WIDCOMM Bluetooth Software 6.2.0.5800
WinDVD for VAIO
.
==== End Of File ===========================

dds.txt
DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 9.0.8112.16455
Run by staz at 16:55:30 on 2012-11-14
Microsoft® Windows Vista™ Business   6.0.6002.2.1252.1.1033.18.2910.1458 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Outdated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Outdated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\RtkAudioService.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\PROGRA~1\RETROG~2\bar\1.bin\4wbarsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Program Files\Sony\VAIO Power Management\SPMService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Mode Switch\VMSwitch.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\EarthLink\ISP\ISP8200\Browser\Bartshel.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Retrogamer_4w\bar\1.bin\4wbrmon.exe
C:\Program Files\EarthLink\ISP\ISP8200\Browser\PPShared.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\iPod\bin\iPodService.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
D:\__A_New_PC__\malware-loggers\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://search.earthlink.net
uURLSearchHooks: <No Name>: {4cff1016-c2e2-4fdd-9c67-e32200c25ff9} - c:\program files\retrogamer_4w\bar\1.bin\4wSrcAs.dll
BHO: Toolbar BHO: {03123bb6-a811-407e-b323-66cf0be510b1} - c:\program files\retrogamer_4w\bar\1.bin\4wbar.dll
BHO: Shopping Assistant Plugin: {1631550F-191D-4826-B069-D9439253D926} - c:\program files\pricegong\2.5.0\PriceGongIE.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ElnkPubBHO Class: {512ACF1B-64D9-4928-B382-A80556F28DB4} - c:\program files\earthlink\toolbar\ElnkPub.dll
BHO: Accelerator Plugin: {656EC4B7-072B-4698-B504-2A414C1F0037} - c:\program files\earthlink accelerated\prpl_IePopupBlocker.dll
BHO: Funmoods Helper Object: {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - c:\program files\funmoods\funmoods\1.5.11.16\bh\funmoods.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: ElnkProtectionBHO Class: {9579D574-D4D8-4335-9560-FE8641A013BD} - c:\program files\earthlink\toolbar\ProtctIE.dll
BHO: Search Assistant BHO: {d757dbfc-1494-4647-a8b3-abd654988dd8} - c:\program files\retrogamer_4w\bar\1.bin\4wSrcAs.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: ElnkLegacyUninstBHO Class: {E713904C-DF05-4C79-BBAD-02DB923253BE} - c:\program files\earthlink\toolbar\uninsttb.dll
TB: EarthLink Toolbar: {C7768536-96F8-4001-B1A2-90EE21279187} - c:\program files\earthlink\toolbar\Toolbar.dll
TB: Retrogamer: {3392CFEC-56F8-41EE-BDB4-4E301EFD2C93} - c:\program files\retrogamer_4w\bar\1.bin\4wbar.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: EarthLink Toolbar: {C7768536-96F8-4001-B1A2-90EE21279187} - c:\program files\earthlink\toolbar\Toolbar.dll
TB: Retrogamer: {3392cfec-56f8-41ee-bdb4-4e301efd2c93} - c:\program files\retrogamer_4w\bar\1.bin\4wbar.dll
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [VMSwitch] "c:\program files\sony\vaio mode switch\VMSwitch.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Bart Station] c:\program files\earthlink\isp\isp8200\bin\PPCOLink.exe -STATION
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Retrogamer Search Scope Monitor] "c:\progra~1\retrog~2\bar\1.bin\4wsrchmn.exe" /m=2 /w /h
mRun: [Retrogamer_4w Browser Plugin Loader] c:\progra~1\retrog~2\bar\1.bin\4wbrmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
StartupFolder: c:\users\staz\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: DisableCAD = dword:1
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.8.4
TCP: Interfaces\{17B54786-D598-4A5A-A076-D11B25F220A1} : DHCPNameServer = 192.168.8.4
TCP: Interfaces\{E843F26E-F2C1-4CBF-A9A6-12CAFDC770E0} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: VESWinlogon - VESWinlogon.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages =  scecli psqlpwd
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
Hosts: 127.0.0.1 ads.mcafee.com
Hosts: 127.0.0.1 analytics.microsoft.com
Hosts: 127.0.0.1 metrics.bitdefender.com
Hosts: 127.0.0.1 metrics.mcafee.com
Hosts: 127.0.0.1  om.symantec.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2008-10-29 23712]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-2-28 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-20 301528]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-20 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-6-20 53592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-20 42184]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 Retrogamer_4wService;RetrogamerService;c:\progra~1\retrog~2\bar\1.bin\4wbarsvc.exe [2012-3-22 42504]
R2 RtkAudioService;Realtek Audio Service;c:\windows\RTKAUDIOSERVICE.EXE [2008-10-29 102400]
R2 VAIO Power Management;VAIO Power Management;c:\program files\sony\vaio power management\SPMService.exe [2008-10-29 415584]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-10-29 29736]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-8-29 3664384]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-10-29 9344]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe --> c:\progra~1\mcafee\sitead~1\mcsacore.exe [?]
S3 ESCameraService;ESCameraService;c:\eaglesoft\shared files\ESCameraService.exe [2007-2-12 49152]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2009-6-1 33024]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2009-6-1 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2009-6-1 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2009-6-1 59904]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
ShellExec: VCExporterLaunch.exe: open="c:\program files\sony\vaio vp utilities\VCELaunch.exe" "%1"
.
=============== Created Last 30 ================
.
2012-11-14 22:32:57   75776   ----a-w-   c:\windows\system32\synceng.dll
2012-11-14 22:32:56   2047488   ----a-w-   c:\windows\system32\win32k.sys
2012-11-14 21:11:51   6918632   ----a-w-   c:\programdata\microsoft\windows defender\definition updates\{94f72d62-c9fe-4742-904c-e0a5bca705ce}\mpengine.dll
2012-11-12 19:36:08   --------   d---a-w-   C:\Kaspersky Rescue Disk 10.0
2012-10-23 17:38:59   --------   d-----w-   c:\users\staz\appdata\roaming\SUPERAntiSpyware.com
2012-10-23 17:38:36   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-10-23 17:38:35   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
.
==================== Find3M  ====================
.
2012-10-19 15:44:52   73656   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-19 15:44:52   696760   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-10-08 07:56:24   1800704   ----a-w-   c:\windows\system32\jscript9.dll
2012-10-08 07:48:03   1129472   ----a-w-   c:\windows\system32\wininet.dll
2012-10-08 07:47:44   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-10-08 07:44:05   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-10-08 07:43:21   420864   ----a-w-   c:\windows\system32\vbscript.dll
2012-10-08 07:40:56   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2012-09-13 13:28:08   2048   ----a-w-   c:\windows\system32\tzres.dll
2012-08-29 11:27:41   3602816   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-08-29 11:27:41   3550080   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-08-24 15:53:29   172544   ----a-w-   c:\windows\system32\wintrust.dll
2012-08-21 18:01:22   26840   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 18:01:22   106928   ----a-w-   c:\windows\system32\GEARAspi.dll
.
============= FINISH: 16:56:00.03 ===============

checkup.txt
 Results of screen317's Security Check version 0.99.54 
 Windows Vista Service Pack 2 x86 (UAC is enabled) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Enabled! 
avast! Antivirus   
 Antivirus out of date! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
 MVPS Hosts File 
 SUPERAntiSpyware     
 Java(TM) 6 Update 23 
 Java(TM) SE Runtime Environment 6
 Java version out of Date!
 Adobe Reader 9 Adobe Reader out of Date!
 Google Chrome 21.0.1180.83 
 Google Chrome 21.0.1180.89 
 Google Chrome 22.0.1229.79 
 Google Chrome 22.0.1229.94 
 Google Chrome 23.0.1271.64 
````````Process Check: objlist.exe by Laurent````````[/u] 
 Windows Defender MSASCui.exe
 malware-loggers SecurityCheck.exe   
 Windows Defender MSASCui.exe   
 Alwil Software Avast5 AvastSvc.exe 
 Alwil Software Avast5 AvastUI.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````[/u]


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 18301
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: i.e. 9 (only) freezes - several trojans
« Reply #1 on: November 14, 2012, 09:44:42 PM »
Hi, Temmu.  Groveling isn't necessary -- not today anyway.  :)

First, let's get the vulnerable software off your computer. 
Please download Junkware Removal Tool to your desktop.
  • Disable your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it.  If you are using Windows Vista or Seven, right-mouse click it and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Then, please shutdown/restart your computer. 

Please follow these instructions carefully.

Download ComboFix from here.

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

Don't forget to update Avast.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Temmu

  • The Assimilator
  • Hero Member
  • *****
  • Posts: 5404
    • View Profile
    • gooooooooogle
Re: i.e. 9 (only) freezes - several trojans
« Reply #2 on: November 14, 2012, 11:23:28 PM »
actions:
simply uninstalled java & adobe reader
updated avast
ran jrt, combofix.

logs

jrt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 3.0.9 (11.13.2012)
OS: Windows Vista (TM) Business x86
Ran by staz on Wed 11/14/2012 at 18:46:15.21
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully stopped: [Service] Retrogamer_4wService
Successfully deleted: [Service] Retrogamer_4wService



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\windows\currentversion\run\\Retrogamer Search Scope Monitor
Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\windows\currentversion\run\\Retrogamer_4w Browser Plugin Loader



~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_classes_root\escort.escortiepane"
Successfully deleted: [Registry Key] "hkey_classes_root\escort.escortiepane.1"
Successfully deleted: [Registry Key] "hkey_classes_root\esrv.funmoodsesrvc"
Successfully deleted: [Registry Key] "hkey_classes_root\esrv.funmoodsesrvc.1"
Successfully deleted: [Registry Key] "hkey_classes_root\f"
Successfully deleted: [Registry Key] "hkey_classes_root\funmoods.funmoodshlpr"
Successfully deleted: [Registry Key] "hkey_classes_root\funmoods.funmoodshlpr.1"
Successfully deleted: [Registry Key] "hkey_classes_root\funmoodsapp.appcore"
Successfully deleted: [Registry Key] "hkey_classes_root\funmoodsapp.appcore.1"
Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\fun web products"
Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\funwebproducts"
Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\mywebsearch"
Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\pricegong"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\escort.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\escortapp.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\escorteng.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\escortlbr.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\esrv.exe"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\pricegongie.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\toolbar.dll"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\mywebsearch.multiplebutton"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\mywebsearch.multiplebutton.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\mywebsearch.thirdpartyinstaller"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\mywebsearch.thirdpartyinstaller.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\mywebsearch.urlalertbutton"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\mywebsearch.urlalertbutton.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\pricefactorie.pricegongbho"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\pricefactorie.pricegongbho.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\pricegongie.pricegongctrl"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\pricegongie.pricegongctrl.1"
Successfully deleted: [Registry Key] "hkey_local_machine\software\funmoods"
Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\uninstall\funmoods"
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{08858af6-42ad-4914-95d2-ac3ab0dc8e28}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{1631550f-191d-4826-b069-d9439253d926}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{1631550f-191d-4826-b069-d9439253d926}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{67fa02c4-ab30-4e77-a640-78ee8ec8673b}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{75a4d144-506d-4be5-81db-ec7da1e7f840}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{75ebb0aa-4214-4cb4-90ec-e3e07ecd04f7}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{75ebb0aa-4214-4cb4-90ec-e3e07ecd04f7}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{799391d3-eb86-4bac-9bd3-cbfea58a0e15}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{965b9dbe-b104-44ac-950a-8a5f97aff439}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{9afb8248-617f-460d-9366-d71cdeda3179}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{a9db719c-7156-415e-b49d-bad039de4f13}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d2a2595c-4fe4-4315-aa9b-19dbd6271b71}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d858dafc-9573-4811-b323-7011a3aa7e61}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{f03fd9d0-4f2b-497c-8a71-dd41d70b07d9}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\staz\appdata\locallow\funwebproducts"
Successfully deleted: [Folder] "C:\Users\staz\appdata\locallow\mywebsearch"
Successfully deleted: [Folder] "C:\Users\staz\appdata\locallow\pricegong"
Successfully deleted: [Folder] "C:\Users\staz\appdata\locallow\retrogamer_4w"
Successfully deleted: [Folder] "C:\Program Files\funmoods"
Successfully deleted: [Folder] "C:\Program Files\pricegong"
Successfully deleted: [Folder] "C:\Program Files\retrogamer_4w"



~~~ Chrome

Successfully deleted: [Folder] C:\Users\staz\appdata\local\Google\Chrome\User Data\Default\Extensions\fdloijijlkoblmigdofommgnheckmaki
Successfully deleted: [Registry Key] hkey_local_machine\software\google\chrome\extensions\fdloijijlkoblmigdofommgnheckmaki



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 11/14/2012 at 18:51:13.02
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


combofix

ComboFix 12-11-14.01 - staz 11/14/2012  19:01:20.1.2 - x86
Microsoft® Windows Vista™ Business   6.0.6002.2.1252.1.1033.18.2910.1743 [GMT -6:00]
Running from: c:\users\staz\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Outdated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Outdated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
.
.
(((((((((((((((((((((((((   Files Created from 2012-10-15 to 2012-11-15  )))))))))))))))))))))))))))))))
.
.
2012-11-15 01:11 . 2012-11-15 01:11   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-11-15 00:46 . 2012-11-15 00:46   --------   d-----w-   c:\windows\ERUNT
2012-11-15 00:45 . 2012-11-15 00:45   --------   d-----w-   C:\JRT
2012-11-15 00:25 . 2012-11-15 00:25   --------   d-----w-   c:\users\staz\AppData\Local\VS Revo Group
2012-11-15 00:25 . 2009-12-30 17:21   27192   ----a-w-   c:\windows\system32\drivers\revoflt.sys
2012-11-15 00:25 . 2012-11-15 00:25   --------   d-----w-   c:\program files\VS Revo Group
2012-11-14 22:32 . 2012-09-25 16:19   75776   ----a-w-   c:\windows\system32\synceng.dll
2012-11-14 22:32 . 2012-10-12 14:29   2047488   ----a-w-   c:\windows\system32\win32k.sys
2012-11-14 21:11 . 2012-10-12 05:56   6918632   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{94F72D62-C9FE-4742-904C-E0A5BCA705CE}\mpengine.dll
2012-11-12 19:36 . 2012-11-12 23:06   --------   d---a-w-   C:\Kaspersky Rescue Disk 10.0
2012-10-23 17:38 . 2012-10-23 17:38   --------   d-----w-   c:\users\staz\AppData\Roaming\SUPERAntiSpyware.com
2012-10-23 17:38 . 2012-11-09 21:12   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-10-23 17:38 . 2012-10-23 17:38   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-19 15:44 . 2012-06-06 12:08   696760   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-10-19 15:44 . 2011-09-09 12:04   73656   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-13 13:28 . 2012-10-12 02:02   2048   ----a-w-   c:\windows\system32\tzres.dll
2012-08-29 11:27 . 2012-10-12 02:02   3602816   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-08-29 11:27 . 2012-10-12 02:02   3550080   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-08-24 15:53 . 2012-10-12 02:02   172544   ----a-w-   c:\windows\system32\wintrust.dll
2012-08-21 18:01 . 2012-09-17 00:07   26840   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 18:01 . 2010-06-21 01:46   106928   ----a-w-   c:\windows\system32\GEARAspi.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04   122512   ----a-w-   c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2008-08-04 16:30   2958848   ----a-w-   c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2008-08-04 16:30   2958848   ----a-w-   c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-09 4763008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-10-17 6295552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-10 835584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-22 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-22 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-22 145944]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-04-04 317280]
"VMSwitch"="c:\program files\Sony\VAIO Mode Switch\VMSwitch.exe" [2008-10-06 534368]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Bart Station"="c:\program files\EarthLink\ISP\ISP8200\BIN\PPCOLink.exe" [2009-09-24 25920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
.
c:\users\staz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-10-14 776744]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2008-08-04 16:11   90112   ----a-w-   c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2008-10-18 01:19   98304   ----a-w-   c:\windows\System32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESInetConnect]
2007-04-04 21:04   204800   ----a-w-   c:\eaglesoft\Shared Files\esinetconnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2008-08-04 15:35   48904   ----a-w-   c:\program files\Protector Suite QL\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 01:56   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE

.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
bthsvcs   REG_MULTI_SZ      BthServ
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
HPService   REG_MULTI_SZ      HPSLPSVC
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-06 15:44]
.
2012-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-21 01:18]
.
2012-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-21 01:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.8.4
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-MobileDocuments - c:\program files\Common Files\Apple\Internet Services\ubd.exe
HKU-Default-RunOnce-AutoLaunch - c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-Unattend0000000001{9244ABC5-5306-4107-AA8E-5D2333F4C38B} - c:\program files\Sony\First Experience\VAIOWelcome.exe
AddRemove-PriceGong - c:\program files\PriceGong\uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-14 19:11
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
- - - - - - - > 'Explorer.exe'(4988)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\btmmhook.dll
c:\windows\System32\NLSData0009.dll
.
Completion time: 2012-11-14  19:15:18
ComboFix-quarantined-files.txt  2012-11-15 01:15
.
Pre-Run: 287,045,828,608 bytes free
Post-Run: 289,179,676,672 bytes free
.
- - End Of File - - 9CE874BC7A3F6378A80472F19998983D

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 18301
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: i.e. 9 (only) freezes - several trojans
« Reply #3 on: November 15, 2012, 12:38:25 AM »
Excellent, Temmu.  How is IE9 working now?  Any more freezes?

As to Java and Adobe Reader, I know you've read the threads at SNF but seeing you have OpenOffice, you will need to install the latest Java.  You could switch to Sumatra PDF instead of needing to deal with Adobe Reader.  I haven't had any problems using Sumatra PDF with links that say Adobe Reader is needed. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Temmu

  • The Assimilator
  • Hero Member
  • *****
  • Posts: 5404
    • View Profile
    • gooooooooogle
Re: i.e. 9 (only) freezes - several trojans
« Reply #4 on: November 15, 2012, 01:45:17 AM »
o. carp.
on reboot,
it first tried to repair itself, but couldn't
then tried again for 1/2 second.
now, after login, it's hovering on "welcome."
sigh.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 18301
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: i.e. 9 (only) freezes - several trojans
« Reply #5 on: November 15, 2012, 01:11:06 PM »
Hi, Temmu.

Have you tried another restart?  Also, what happens if you use Ctrl+Alt+Del at the Welcome screen?  If neither of those work, restart in Safe Mode and see if System Restore works.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Temmu

  • The Assimilator
  • Hero Member
  • *****
  • Posts: 5404
    • View Profile
    • gooooooooogle
Re: i.e. 9 (only) freezes - several trojans
« Reply #6 on: November 15, 2012, 03:58:07 PM »
no joy.
i log on as the user, and the word, "welcome" & it's spinning wheel simply hang on the screen.

i tried (without success)
- repair (several times, it cannot. it now just immediately says, "it cannot.")
- chkdsk /r
- bootrec /fixboot
- bootrec /fixmbr

am going to try log on as administrator (may have to "blank" the password.)

ideas appreciated in the mean time.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 18301
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: i.e. 9 (only) freezes - several trojans
« Reply #7 on: November 15, 2012, 04:30:19 PM »
Hi, Temmu. 

I've found numerous situations in search results where this has occurred but the one that seems to strike home is from Services or processes that require authentication may stop responding because of a deadlock condition in the Lsass.exe process on a Windows Server 2008-based computer or on a Windows Vista Service Pack 1-based computer:
Quote
The problem occurs because of a race condition that leads to a deadlock condition in the Lsass.exe process. When the deadlock condition occurs, the Lsass.exe process cannot handle authentication requests. The problem is most frequently triggered when the system is under a heavy load and the computer password is changed.

The reason I am thinking this is the case is from your ComboFix log that showed the following:
Code: [Select]
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(784)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Temmu

  • The Assimilator
  • Hero Member
  • *****
  • Posts: 5404
    • View Profile
    • gooooooooogle
Re: i.e. 9 (only) freezes - several trojans
« Reply #8 on: November 16, 2012, 05:32:59 AM »
am not sure if will have to reload yet.
returned it to him.
he's running as admin (i know, poor practice)
his user acct is trashed.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 18301
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: i.e. 9 (only) freezes - several trojans
« Reply #9 on: November 17, 2012, 12:48:13 AM »
Hi, Temmu.

When I saw that you removed four trojans before we even started, I was concerned about what had been on that machine.

See if you have any luck with Windows Defender Offline.  Instructions here:  Setting Up the Microsoft Standalone System Sweeper Beta, Now Windows Defender Offline


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.