Inactive Avira found 'hidden process'

[garys]

Hi,

I'm using Avira free and it has come up with a message the last couple of days saying that it has found a 'hidden process'. It then offers to stop the scan and tells me to download and run their rescue cd. I tried the rescue cd, but it must not be compatible with my laptop, gets into a loop while doing something with the video driver (screen flashing).

I'm just wondering what this hidden process is. I have looked at the avira logs and they don't give any details. So, I've decided to see if I can get someone here to look at my logs to see if anything sticks out.

Thanks in advance.

-Gary

Here are the requested logs:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8211

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/21/2011 5:32:42 PM
mbam-log-2011-11-21 (17-32-42).txt

Scan type: Quick scan
Objects scanned: 178296
Time elapsed: 8 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

===

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-11-22 10:34:54
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.BBCO
Running: blqiyvmt.exe; Driver: C:\DOCUME~1\gsieker\LOCALS~1\Temp\kwryapob.sys


---- System - GMER 1.0.15 ----

Code BA736C9C ZwRequestPort
Code BA736D3C ZwRequestWaitReplyPort
Code BA736BFC ZwTraceEvent
Code BA736C9B NtRequestPort
Code BA736D3B NtRequestWaitReplyPort
Code BA736BFB NtTraceEvent

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Ntfs \Ntfs snman380.sys (Acronis Snapshot API/Acronis)

---- EOF - GMER 1.0.15 ----

===
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by gsieker at 13:24:49 on 2011-11-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2218 [GMT -6:00]
.
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Sandboxie\SbieSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\cygwin\usr\sbin\sshd.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [FileZilla Server Interface] "c:\program files\filezilla server\FileZilla Server Interface.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\gsieker\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\gsieker\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet 4.12\PdaNet.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219791963515
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.254.23 192.168.254.26
TCP: Interfaces\{18B590DE-D264-497D-B745-F19E7121D38B} : DhcpNameServer = 192.168.254.23 192.168.254.26
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
LSA: Authentication Packages = msv1_0 c:\cygwin\bin\cyglsa\cyglsa.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\gsieker\application data\mozilla\firefox\profiles\2q2zfxjg.default\
FF - prefs.js: browser.search.selectedEngine - Clusty
FF - component: c:\documents and settings\gsieker\application data\mozilla\firefox\profiles\2q2zfxjg.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\documents and settings\gsieker\application data\mozilla\firefox\profiles\2q2zfxjg.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\logitech\harmony remote driver\NprtHarmonyPlugin.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40818.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [2008-12-18 971232]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-9 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-11-9 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-11-9 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-3 74640]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2011-2-23 68096]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-3-18 8576]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-8-9 123112]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys --> c:\windows\system32\drivers\rcvpn.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2009-7-31 341504]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-7-20 79888]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
.
=============== Created Last 30 ================
.
2011-11-21 18:22:58 -------- d-----w- C:\bd_logs
2011-11-17 22:08:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-11-17 22:08:24 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-11-17 22:08:24 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-11-17 22:08:24 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-11-17 22:08:24 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-11-17 22:08:24 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-11-17 22:08:24 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-11-17 22:08:24 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-11-16 01:50:39 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-16 01:50:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-16 01:41:20 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-16 01:41:18 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-11-16 01:39:54 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-11-09 19:09:06 -------- d-----w- c:\documents and settings\gsieker\application data\Avira
2011-11-09 19:08:30 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-11-09 19:08:24 -------- d-----w- c:\program files\Avira
2011-11-09 19:08:24 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-10-31 18:05:15 -------- d-----w- c:\program files\OpenVPN
.
==================== Find3M ====================
.
2011-11-21 17:17:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-16 05:55:03 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 13:25:00.89 ===============

===

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/26/2008 2:11:19 PM
System Uptime: 11/21/2011 6:37:12 PM (19 hours ago)
.
Motherboard: Gateway | |
Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | U2E1 | 1995/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 27.933 GiB free.
D: is CDROM ()
E: is Removable
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP638: 8/24/2011 10:04:59 AM - Software Distribution Service 3.0
RP639: 8/25/2011 10:31:27 AM - System Checkpoint
RP640: 8/27/2011 1:28:55 PM - System Checkpoint
RP641: 8/28/2011 2:12:59 PM - System Checkpoint
RP642: 8/29/2011 3:15:24 PM - System Checkpoint
RP643: 8/30/2011 9:10:45 PM - System Checkpoint
RP644: 9/1/2011 7:13:44 PM - System Checkpoint
RP645: 9/3/2011 7:19:09 PM - System Checkpoint
RP646: 9/4/2011 7:39:58 PM - System Checkpoint
RP647: 9/5/2011 8:35:00 PM - System Checkpoint
RP648: 9/6/2011 8:53:39 PM - System Checkpoint
RP649: 9/7/2011 8:36:11 PM - Software Distribution Service 3.0
RP650: 9/9/2011 1:03:18 PM - System Checkpoint
RP651: 9/10/2011 2:09:16 PM - Removed SageTV Placeshifter
RP652: 9/11/2011 2:29:45 PM - System Checkpoint
RP653: 9/12/2011 3:04:03 PM - System Checkpoint
RP654: 9/13/2011 12:15:03 PM - Software Distribution Service 3.0
RP655: 9/15/2011 4:06:56 PM - System Checkpoint
RP656: 9/16/2011 6:03:17 PM - System Checkpoint
RP657: 9/17/2011 6:26:00 PM - System Checkpoint
RP658: 9/20/2011 12:58:45 AM - System Checkpoint
RP659: 9/21/2011 1:19:08 AM - System Checkpoint
RP660: 9/22/2011 11:07:51 PM - System Checkpoint
RP661: 9/24/2011 10:33:56 PM - System Checkpoint
RP662: 9/25/2011 10:54:19 PM - System Checkpoint
RP663: 9/26/2011 11:27:08 PM - System Checkpoint
RP664: 9/28/2011 4:06:14 PM - System Checkpoint
RP665: 9/29/2011 4:17:58 PM - System Checkpoint
RP666: 10/2/2011 11:27:49 AM - System Checkpoint
RP667: 10/4/2011 7:12:17 AM - System Checkpoint
RP668: 10/5/2011 11:08:02 AM - System Checkpoint
RP669: 10/6/2011 12:23:36 PM - System Checkpoint
RP670: 10/9/2011 12:17:28 PM - Software Distribution Service 3.0
RP671: 10/10/2011 4:09:09 PM - System Checkpoint
RP672: 10/11/2011 4:21:33 PM - System Checkpoint
RP673: 10/12/2011 4:22:37 PM - System Checkpoint
RP674: 10/13/2011 5:22:37 PM - System Checkpoint
RP675: 10/14/2011 6:21:34 PM - System Checkpoint
RP676: 10/14/2011 7:08:21 PM - Software Distribution Service 3.0
RP677: 10/15/2011 7:29:12 PM - System Checkpoint
RP678: 10/17/2011 11:16:40 PM - System Checkpoint
RP679: 10/18/2011 11:51:31 PM - System Checkpoint
RP680: 10/24/2011 11:17:35 AM - Installed Java(TM) 6 Update 29
RP681: 10/26/2011 8:00:01 PM - System Checkpoint
RP682: 10/28/2011 9:33:41 PM - System Checkpoint
RP683: 10/31/2011 8:25:04 AM - System Checkpoint
RP684: 11/9/2011 12:38:38 PM - Avira AntiVir Personal - 11/9/2011 12:38
RP685: 11/10/2011 12:48:17 PM - Software Distribution Service 3.0
RP686: 11/12/2011 12:26:09 PM - System Checkpoint
RP687: 11/12/2011 12:47:30 PM - Software Distribution Service 3.0
RP688: 11/13/2011 1:41:28 PM - System Checkpoint
RP689: 11/15/2011 8:33:41 PM - System Checkpoint
RP690: 11/16/2011 9:59:39 PM - System Checkpoint
RP691: 11/21/2011 11:55:53 PM - System Checkpoint
.
==== Installed Programs ======================
.
µTorrent
7-Zip 4.65
Acronis*True*Image*Home
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Shockwave Player 11
Agere Systems HDA Modem
Album Art Downloader XUI 0.37.1
allTunes
Auto Gordian Knot 2.55
Avira Free Antivirus
AviSynth 2.5
CamStudio
CamStudio Lossless Codec
CDBurnerXP
Conduit Engine
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.7
DVD Flick 1.3.0.7
DVD43 v4.6.0
EasyToon 1.9.9 EN FINAL
Exact Audio Copy 1.0beta1
Fiesta Download Manager
FileZilla Client 3.4.0
FileZilla Server (remove only)
Foxit Reader
HDHomeRun
High Definition Audio Driver Package - KB888111
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958655-v2)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImgBurn
Infor ERP FACTS 7.7
Intel(R) Graphics Media Accelerator Driver
Jaangle music management
Java Auto Updater
Java(TM) 6 Update 29
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6 Update 21
JGoodies JDiskReport 1.3.2
JGoodies Looks Demo
Kat CD Ripper
Legalsounds Download Manager
Logitech Harmony Remote Software
MagicDisc 2.7.106
Malwarebytes' Anti-Malware version 1.51.2.1300
MediaMonkey 3.2
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Help Viewer 1.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files (English)
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server System CLR Types
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C# 2010 Express - ENU
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
MinGW-Get version 0.1-alpha-5
Mozilla Firefox 4.0b7 (x86 en-US)
Mozilla Firefox 8.0 (x86 en-US)
Mozilla Thunderbird (3.1.15)
Mp3tag v2.48
MSXML 6.0 Parser (KB933579)
NETGEAR WG111v3 wireless USB 2.0 adapter
NOOK for PC
OpenVPN 2.2.0
Palm
PC Wizard 2010.1.95
PdaNet 4.12 for Treo 700p/755p/Centro
Phun beta 4.22
puTTY Release 0.58
QMC
QT Lite 2.8.0
Safari
SageTV Placeshifter
Sandboxie 3.48
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
SonicWALL Global VPN Client
Speccy
Spotify
Sql Server Customer Experience Improvement Program
Switch Sound File Converter
Synergy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
uTorrentBar Toolbar
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
VLC media player 1.1.11
VNC Free Edition 4.1.3
VobSub v2.23 (Remove Only)
WebFldrs XP
Winamp
Windows Driver Package - Intel (NETw5x32) net (07/08/2008 12.0.0.82)
Windows Driver Package - Intel (w29n51) net (12/19/2007 9.0.4.39)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
World of Warcraft
Xvid 1.1.3 final uninstall
XviD MPEG4 Video Codec (remove only)
Yahoo! Detect
.
==== Event Viewer Messages From Past Week ========
.
11/21/2011 11:15:08 AM, error: Dhcp [1002] - The IP address lease 192.168.254.156 for the Network Card with network address 00E0B8F9DBD2 has been denied by the DHCP server 216.215.237.174 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

 

[Bobbye]

Welcome to TechSpot, Gary. I'll help with the problems, but would like to make some comments first:

1. . The Avira AntiVir Rescue System a linux-based application that allows accessing computers that cannot be booted anymore. That doesn't sound appropriate for what you're telling me. We will need to try and find the hidden processes that are bothering Avira.
2. . Please remove Hitman: if you have paid for this program, you should request your money back. It is a bundle of free programs, all available on the internet. But the scam is that Hitman will only 'fix' problems free during the Trial Period> after that you have to pay for the program. But if you had gotten the free programs from the internet, they would have been fully functional> free.
3. . There are multiple entries for uTorrent and it's Toolbar. Please disable those while I'm helping you.
4. . The system is showing that Root Repeal is running. Please disable and/or uninstall that..
5. . I notice that you have Sandboxie 3.48 installed. Please check the following:

Known Conflicts
• Overview> http://www.sandboxie.com/index.php?KnownConflicts
• AnVir Task Manager
• AppGuard
• Canon Printers, Canon Easy-WebPrint
• HP Universal Print Driver
• ITEKSOFT eDocPrinter PDF
• Naomi Web Filter
• McAfee Viruscan Enterprise 8.7i
• Nuance OmniPage
• PC-Tools Spyware Doctor Version 7
• PrevX SafeOnline
• PunkBuster
• Rising Anti-Virus
• SnagIt
• Trusteer Rapport
• Webroot AntiSpyware Corporate Edition
• ZoneAlarm Internet Security Suite Version 8

=================================================
Now let's see if we can find what's hiding:
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=====================================

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=========================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

 

[garys]

Welcome to TechSpot, Gary.

Thanks.

Thought I'd better check with you on a couple of the answers to your questions before going any farther.

I'll help with the problems, but would like to make some comments first:

1. . The Avira AntiVir Rescue System a linux-based application that allows accessing computers that cannot be booted anymore. That doesn't sound appropriate for what you're telling me. We will need to try and find the hidden processes that are bothering Avira.
   
2. . Please remove Hitman: if you have paid for this program, you should request your money back. It is a bundle of free programs, all available on the internet. But the scam is that Hitman will only 'fix' problems free during the Trial Period> after that you have to pay for the program. But if you had gotten the free programs from the internet, they would have been fully functional> free.
3. . There are multiple entries for uTorrent and it's Toolbar. Please disable those while I'm helping you.
4. . The system is showing that Root Repeal is running. Please disable and/or uninstall that..
5. . I notice that you have Sandboxie 3.48 installed. Please check the following:

1. Yeah, didn't make sense to me either. Just decided to try what was suggested...
2. Done.
3. Doesn't show as running in task mgr. Any idea how I would disable?
4. This one doesn't show in task mgr either. I looked through the logs and noticed a mention of 'rootrepeal.sys' in the drivers folder. Is this what you're referring too? If so, do you want me to delete that file?
5. Checked. None seem to apply.

 

[Bobbye]

I'll remove the entries for #2, 3 and 4 with script I'll write for you to run through Combofix. In the meantime, please don't use any of the uTorrent processes.

From what you've told me and from what I've seen so far, Avira was not correct in suggesting that tool. Don't be blindly led unless you have enough information.

Please go ahead with the scans.

 

[garys]

ComboFix 11-11-22.03 - gsieker 11/22/2011 21:43:19.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2400 [GMT -6:00]
Running from: c:\documents and settings\gsieker\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\cygwin\bin\cyglsa\cyglsa.dll
C:\Install.exe
c:\windows\CSC\d6
.
.
((((((((((((((((((((((((( Files Created from 2011-10-23 to 2011-11-23 )))))))))))))))))))))))))))))))
.
.
2011-11-21 18:22 . 2011-11-21 18:27 -------- d-----w- C:\bd_logs
2011-11-17 22:08 . 2011-11-05 06:53 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-11-17 22:08 . 2011-11-05 06:53 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-11-17 22:08 . 2011-11-05 06:53 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-11-17 22:08 . 2011-11-05 06:53 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-11-17 22:08 . 2011-11-05 06:53 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-11-17 22:08 . 2011-11-05 06:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-11-17 22:08 . 2011-11-05 03:21 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-11-17 22:08 . 2011-11-05 03:21 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-11-16 01:50 . 2011-11-16 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-16 01:50 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-16 01:41 . 2011-11-16 01:41 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-16 01:41 . 2011-11-16 01:41 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-11-16 01:39 . 2011-11-16 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-11-09 19:09 . 2011-11-09 19:09 -------- d-----w- c:\documents and settings\gsieker\Application Data\Avira
2011-11-09 19:08 . 2011-09-18 14:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-11-09 19:08 . 2011-09-16 05:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-11-09 19:08 . 2011-11-09 19:08 -------- d-----w- c:\program files\Avira
2011-11-09 19:08 . 2011-11-09 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-10-31 18:05 . 2011-10-31 18:05 -------- d-----w- c:\program files\OpenVPN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 17:17 . 2011-05-25 14:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-08-26 19:06 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06 . 2010-06-13 19:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37 . 2009-03-16 18:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-16 05:55 . 2010-02-04 04:24 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-06 13:20 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 06:53 . 2011-11-17 22:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 18:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 18:51 3911776 ----a-w- c:\program files\uTorrentBar\tbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-08-09 389352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-22 303104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 143360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-27 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-27 135168]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-10-13 4344472]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-10-13 960376]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-10-13 165144]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2010-10-17 1259008]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
.
c:\documents and settings\gsieker\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-3-27 576000]
PdaNet Desktop.lnk - c:\program files\PdaNet 4.12\PdaNet.exe [2010-3-18 185560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2009-10-15 471040]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2009-12-23 2330624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\SageTV\\Placeshifter\\SageTVPlaceshifter.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer_pe.exe"=
"c:\\Program Files\\PdaNet 4.12\\PdaNet.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files - No install\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_config_gui.exe"=
"c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_quicktv.exe"=
"c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_setup.exe"=
"c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_config.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=
"c:\\Program Files\\FileZilla Server\\FileZilla server.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\OpenVPN\\bin\\openvpn.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
.
R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [12/18/2008 11:23 PM 971232]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [11/9/2011 1:08 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/9/2011 1:08 PM 86224]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 12:13 PM 38144]
R2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2/23/2011 1:11 PM 68096]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [3/18/2010 5:10 PM 8576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [7/31/2009 2:12 PM 341504]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [7/20/2009 4:38 PM 79888]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 6:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 1:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 6:28 PM 369688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-03 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-05-31 00:57]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\gsieker\Application Data\Mozilla\Firefox\Profiles\2q2zfxjg.default\
FF - prefs.js: browser.search.selectedEngine - Clusty
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-22 21:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2544)
c:\windows\system32\WININET.dll
c:\program files\MediaMonkey\DeskPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\FileZilla Server\FileZilla Server.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\cygwin\usr\sbin\sshd.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\PdaNet 4.12\PdaNetUm.exe
c:\progra~1\COMMON~1\JFTech\PALMON~1.EXE
.
**************************************************************************
.
Completion time: 2011-11-22 21:57:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-23 03:57
.
Pre-Run: 29,835,362,304 bytes free
Post-Run: 31,108,374,528 bytes free
.
- - End Of File - - 0B8FCAF2C78D4E5AFFBC6B3AADE0A7C1

 

[garys]

ESET results:

No malware found.

One slightly confusing thing in the eset directions:

In the alternate browsers instructions, clicking directly on the posted image for 'esetsmartinstaller_enu', as directed, doesn't seem to do anything. That image also doesn't seem to appear anywhere on the ESETOnlineScan page link posted above the image. Now it's just a blue link that appears in the middle of a popup when you click the ESET Online Scanner button or the download link. Just an fyi that the wording could use a little touch-up.

 

[garys]

Any comments on scan results above? Seems like this thread got lost...

 

[Bobbye]

No, the thread didn't get lost. I have spent the holiday enjoying my family.

I think you misunderstood what the image was. Read the directions again and look for the icon that loaded to the desktop. It just semantics- the first 'click on image' is referring to the download' button' for the installer. This gives you a new Window with the link to click on. The link should then be on the desktop for the installer:

========================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

KillAll::
File::
c:\windows\system32\drivers\hitmanpro35.sys
Folder::
c:\program files\Hitman Pro 3.5
c:\documents and settings\All Users\Application Data\Hitman Pro
DDS::
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
ClearJavaCache::
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================================
I haven't seen any indication of a hidden process. How is the system running? Any related problems?
====================================
Do you realize that you have 4 versions of Firefox on the system?
Mozilla Firefox 4.0b7 (x86 en-US)
Mozilla Firefox 8.0 (x86 en-US)
=====================================
If you celebrate Thanksgiving, I hope you are having a nice weekend.

 

[garys]

Thanks for the reply.

I'm glad you got to spend time with your family for the holiday. Good to make time to spend time with the family.

I re-read the eset installation instructions, and I see what you mean. The part about clicking on the extra link in the pop-up window is simply omitted from the directions altogether. I was just suggesting that they could be made a bit more clear.
===
I haven't noticed any specific problem with the system, although there has been one strange behavior: I have a notification for the last several days telling me that firefox is not the default browser. Each time, I take the option to make it the default. I have not changed this, so, this seems odd.
===
On the firefox versions, yes, I sometimes keep older versions around for testing. I don't use them much, and haven't lately.
===
I am still receiving a daily message that one or more 'hidden objects' have been found, so I still think something is going on.

Again, thanks for the assistance and Happy Thanksgiving.

I ran combofix again as requested. Here's the log:

ComboFix 11-11-27.02 - gsieker 11/27/2011 11:42:28.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.1510 [GMT -6:00]
Running from: c:\documents and settings\gsieker\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\gsieker\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\windows\system32\drivers\hitmanpro35.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Hitman Pro
c:\documents and settings\All Users\Application Data\Hitman Pro\Banner.bin
c:\program files\conduitengine\ConduitEngine.dll
c:\program files\Hitman Pro 3.5
c:\program files\Hitman Pro 3.5\HitmanPro35.exe
c:\program files\utorrentbar\tbuTor.dll
c:\windows\CSC\d6
c:\windows\system32\drivers\hitmanpro35.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-10-27 to 2011-11-27 )))))))))))))))))))))))))))))))
.
.
2011-11-23 18:09 . 2011-11-23 18:09 -------- d-----w- c:\documents and settings\gsieker\Application Data\1_8_2.minecraft
2011-11-23 04:23 . 2011-11-23 04:23 -------- d-----w- c:\program files\ESET
2011-11-21 18:22 . 2011-11-21 18:27 -------- d-----w- C:\bd_logs
2011-11-17 22:08 . 2011-11-05 06:53 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-11-17 22:08 . 2011-11-05 06:53 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-11-17 22:08 . 2011-11-05 06:53 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-11-17 22:08 . 2011-11-05 06:53 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-11-17 22:08 . 2011-11-05 06:53 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-11-17 22:08 . 2011-11-05 06:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-11-17 22:08 . 2011-11-05 03:21 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-11-17 22:08 . 2011-11-05 03:21 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-11-16 01:50 . 2011-11-16 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-16 01:50 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-09 19:09 . 2011-11-09 19:09 -------- d-----w- c:\documents and settings\gsieker\Application Data\Avira
2011-11-09 19:08 . 2011-09-18 14:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-11-09 19:08 . 2011-09-16 05:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-11-09 19:08 . 2011-11-09 19:08 -------- d-----w- c:\program files\Avira
2011-11-09 19:08 . 2011-11-09 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-10-31 18:05 . 2011-10-31 18:05 -------- d-----w- c:\program files\OpenVPN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 17:17 . 2011-05-25 14:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-08-26 19:06 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06 . 2010-06-13 19:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37 . 2009-03-16 18:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-16 05:55 . 2010-02-04 04:24 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-06 13:20 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 06:53 . 2011-11-17 22:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-23_03.52.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-27 17:48 . 2011-11-27 17:48 16384 c:\windows\temp\Perflib_Perfdata_704.dat
+ 2006-02-28 12:00 . 2011-11-23 03:56 604270 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2011-11-23 03:45 604270 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2011-11-23 03:56 127676 c:\windows\system32\perfc009.dat
- 2006-02-28 12:00 . 2011-11-23 03:45 127676 c:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-08-09 389352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-22 303104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 143360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-27 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-27 135168]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-10-13 4344472]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-10-13 960376]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-10-13 165144]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2010-10-17 1259008]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
.
c:\documents and settings\gsieker\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-3-27 576000]
PdaNet Desktop.lnk - c:\program files\PdaNet 4.12\PdaNet.exe [2010-3-18 185560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2009-10-15 471040]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2009-12-23 2330624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\SageTV\\Placeshifter\\SageTVPlaceshifter.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer_pe.exe"=
"c:\\Program Files\\PdaNet 4.12\\PdaNet.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files - No install\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_config_gui.exe"=
"c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_quicktv.exe"=
"c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_setup.exe"=
"c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_config.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=
"c:\\Program Files\\FileZilla Server\\FileZilla server.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\OpenVPN\\bin\\openvpn.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
.
R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [12/18/2008 11:23 PM 971232]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [11/9/2011 1:08 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/9/2011 1:08 PM 86224]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 12:13 PM 38144]
R2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2/23/2011 1:11 PM 68096]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [3/18/2010 5:10 PM 8576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [7/31/2009 2:12 PM 341504]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [7/20/2009 4:38 PM 79888]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 6:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 1:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 6:28 PM 369688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-03 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-05-31 00:57]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\gsieker\Application Data\Mozilla\Firefox\Profiles\2q2zfxjg.default\
FF - prefs.js: browser.search.selectedEngine - Clusty
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-27 11:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1212)
c:\windows\system32\WININET.dll
c:\program files\MediaMonkey\DeskPlayer.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\FileZilla Server\FileZilla Server.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\cygwin\usr\sbin\sshd.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\PdaNet 4.12\PdaNetUm.exe
c:\progra~1\COMMON~1\JFTech\PALMON~1.EXE
c:\program files\Avira\AntiVir Desktop\avnotify.exe
.
**************************************************************************
.
Completion time: 2011-11-27 11:54:22 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-27 17:54
ComboFix2.txt 2011-11-23 03:57
.
Pre-Run: 31,363,141,632 bytes free
Post-Run: 31,349,772,288 bytes free
.
- - End Of File - - 0030C6C290372A44FC76744D605A54AE

 

[Bobbye]

Regarding this:

firefox is not the default browser

I have found that you not only have to check the this: In Firefox> Tools> Options> Advanced> General> Default> "Always have Firefox check to see that it is the default browser", but you also have to uncheck "Internet Explorer should always check to see if it's the default browser."

IE is very pushy and if you don't take away it's toys, it will use them!
===============================
The Combofix log looks good. I would like to remove just one more entry:
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

KillAll::
File::
ClearJavaCache::
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . You do not need to leave the new log unless there have been any additional problems.
====================
There was no indication of hidden files in Combofix
==================================
I would also encourage you to uninstall uTorrent> here's why:
P2P or 'file sharing' Warning:

• Even if you are using a "safe" P2P program, it is only the program that is safe.
• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
=================================
Be sure you have uninstalled this outdated program: Java(TM) 6 Update 7
================================
One quick last scan:
First, set up a Directory for HijackThis as follows:
Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
Exit Explorer
You now have a folder C:\HijackThis
-----------------------------------------
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
• Extract it to the directory on your hard drive you created C:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.