TechSpot

Avira found 'hidden process'

By garys
Nov 22, 2011
  1. Hi,

    I'm using Avira free and it has come up with a message the last couple of days saying that it has found a 'hidden process'. It then offers to stop the scan and tells me to download and run their rescue cd. I tried the rescue cd, but it must not be compatible with my laptop, gets into a loop while doing something with the video driver (screen flashing).

    I'm just wondering what this hidden process is. I have looked at the avira logs and they don't give any details. So, I've decided to see if I can get someone here to look at my logs to see if anything sticks out.

    Thanks in advance.

    -Gary

    Here are the requested logs:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8211

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/21/2011 5:32:42 PM
    mbam-log-2011-11-21 (17-32-42).txt

    Scan type: Quick scan
    Objects scanned: 178296
    Time elapsed: 8 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ===

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-11-22 10:34:54
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.BBCO
    Running: blqiyvmt.exe; Driver: C:\DOCUME~1\gsieker\LOCALS~1\Temp\kwryapob.sys


    ---- System - GMER 1.0.15 ----

    Code BA736C9C ZwRequestPort
    Code BA736D3C ZwRequestWaitReplyPort
    Code BA736BFC ZwTraceEvent
    Code BA736C9B NtRequestPort
    Code BA736D3B NtRequestWaitReplyPort
    Code BA736BFB NtTraceEvent

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \FileSystem\Ntfs \Ntfs snman380.sys (Acronis Snapshot API/Acronis)

    ---- EOF - GMER 1.0.15 ----

    ===
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
    Run by gsieker at 13:24:49 on 2011-11-22
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2218 [GMT -6:00]
    .
    AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\WINDOWS\system32\agrsmsvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\FileZilla Server\FileZilla Server.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\CDBurnerXP\NMSAccessU.exe
    C:\Program Files\Sandboxie\SbieSvc.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\cygwin\bin\cygrunsrv.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\cygwin\usr\sbin\sshd.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
    BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
    mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
    mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
    mRun: [FileZilla Server Interface] "c:\program files\filezilla server\FileZilla Server Interface.exe"
    mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\docume~1\gsieker\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
    StartupFolder: c:\docume~1\gsieker\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet 4.12\PdaNet.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    Trusted Zone: intuit.com\ttlc
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219791963515
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.254.23 192.168.254.26
    TCP: Interfaces\{18B590DE-D264-497D-B745-F19E7121D38B} : DhcpNameServer = 192.168.254.23 192.168.254.26
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
    LSA: Authentication Packages = msv1_0 c:\cygwin\bin\cyglsa\cyglsa.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\gsieker\application data\mozilla\firefox\profiles\2q2zfxjg.default\
    FF - prefs.js: browser.search.selectedEngine - Clusty
    FF - component: c:\documents and settings\gsieker\application data\mozilla\firefox\profiles\2q2zfxjg.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
    FF - plugin: c:\documents and settings\gsieker\application data\mozilla\firefox\profiles\2q2zfxjg.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\logitech\harmony remote driver\NprtHarmonyPlugin.dll
    FF - plugin: c:\program files\microsoft silverlight\3.0.40818.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [2008-12-18 971232]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-9 36000]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-11-9 86224]
    R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-11-9 110032]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-3 74640]
    R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
    R2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2011-2-23 68096]
    R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-3-18 8576]
    R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-8-9 123112]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys --> c:\windows\system32\drivers\rcvpn.sys [?]
    S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
    S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2009-7-31 341504]
    S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-7-20 79888]
    S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
    S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
    .
    =============== Created Last 30 ================
    .
    2011-11-21 18:22:58 -------- d-----w- C:\bd_logs
    2011-11-17 22:08:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-11-17 22:08:24 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-11-17 22:08:24 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-11-17 22:08:24 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-11-17 22:08:24 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-11-17 22:08:24 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-11-17 22:08:24 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-11-17 22:08:24 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-11-16 01:50:39 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-16 01:50:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-16 01:41:20 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-11-16 01:41:18 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-11-16 01:39:54 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
    2011-11-09 19:09:06 -------- d-----w- c:\documents and settings\gsieker\application data\Avira
    2011-11-09 19:08:30 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-11-09 19:08:24 -------- d-----w- c:\program files\Avira
    2011-11-09 19:08:24 -------- d-----w- c:\documents and settings\all users\application data\Avira
    2011-10-31 18:05:15 -------- d-----w- c:\program files\OpenVPN
    .
    ==================== Find3M ====================
    .
    2011-11-21 17:17:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-03 07:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-16 05:55:03 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 13:25:00.89 ===============

    ===

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/26/2008 2:11:19 PM
    System Uptime: 11/21/2011 6:37:12 PM (19 hours ago)
    .
    Motherboard: Gateway | |
    Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | U2E1 | 1995/667mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 149 GiB total, 27.933 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP638: 8/24/2011 10:04:59 AM - Software Distribution Service 3.0
    RP639: 8/25/2011 10:31:27 AM - System Checkpoint
    RP640: 8/27/2011 1:28:55 PM - System Checkpoint
    RP641: 8/28/2011 2:12:59 PM - System Checkpoint
    RP642: 8/29/2011 3:15:24 PM - System Checkpoint
    RP643: 8/30/2011 9:10:45 PM - System Checkpoint
    RP644: 9/1/2011 7:13:44 PM - System Checkpoint
    RP645: 9/3/2011 7:19:09 PM - System Checkpoint
    RP646: 9/4/2011 7:39:58 PM - System Checkpoint
    RP647: 9/5/2011 8:35:00 PM - System Checkpoint
    RP648: 9/6/2011 8:53:39 PM - System Checkpoint
    RP649: 9/7/2011 8:36:11 PM - Software Distribution Service 3.0
    RP650: 9/9/2011 1:03:18 PM - System Checkpoint
    RP651: 9/10/2011 2:09:16 PM - Removed SageTV Placeshifter
    RP652: 9/11/2011 2:29:45 PM - System Checkpoint
    RP653: 9/12/2011 3:04:03 PM - System Checkpoint
    RP654: 9/13/2011 12:15:03 PM - Software Distribution Service 3.0
    RP655: 9/15/2011 4:06:56 PM - System Checkpoint
    RP656: 9/16/2011 6:03:17 PM - System Checkpoint
    RP657: 9/17/2011 6:26:00 PM - System Checkpoint
    RP658: 9/20/2011 12:58:45 AM - System Checkpoint
    RP659: 9/21/2011 1:19:08 AM - System Checkpoint
    RP660: 9/22/2011 11:07:51 PM - System Checkpoint
    RP661: 9/24/2011 10:33:56 PM - System Checkpoint
    RP662: 9/25/2011 10:54:19 PM - System Checkpoint
    RP663: 9/26/2011 11:27:08 PM - System Checkpoint
    RP664: 9/28/2011 4:06:14 PM - System Checkpoint
    RP665: 9/29/2011 4:17:58 PM - System Checkpoint
    RP666: 10/2/2011 11:27:49 AM - System Checkpoint
    RP667: 10/4/2011 7:12:17 AM - System Checkpoint
    RP668: 10/5/2011 11:08:02 AM - System Checkpoint
    RP669: 10/6/2011 12:23:36 PM - System Checkpoint
    RP670: 10/9/2011 12:17:28 PM - Software Distribution Service 3.0
    RP671: 10/10/2011 4:09:09 PM - System Checkpoint
    RP672: 10/11/2011 4:21:33 PM - System Checkpoint
    RP673: 10/12/2011 4:22:37 PM - System Checkpoint
    RP674: 10/13/2011 5:22:37 PM - System Checkpoint
    RP675: 10/14/2011 6:21:34 PM - System Checkpoint
    RP676: 10/14/2011 7:08:21 PM - Software Distribution Service 3.0
    RP677: 10/15/2011 7:29:12 PM - System Checkpoint
    RP678: 10/17/2011 11:16:40 PM - System Checkpoint
    RP679: 10/18/2011 11:51:31 PM - System Checkpoint
    RP680: 10/24/2011 11:17:35 AM - Installed Java(TM) 6 Update 29
    RP681: 10/26/2011 8:00:01 PM - System Checkpoint
    RP682: 10/28/2011 9:33:41 PM - System Checkpoint
    RP683: 10/31/2011 8:25:04 AM - System Checkpoint
    RP684: 11/9/2011 12:38:38 PM - Avira AntiVir Personal - 11/9/2011 12:38
    RP685: 11/10/2011 12:48:17 PM - Software Distribution Service 3.0
    RP686: 11/12/2011 12:26:09 PM - System Checkpoint
    RP687: 11/12/2011 12:47:30 PM - Software Distribution Service 3.0
    RP688: 11/13/2011 1:41:28 PM - System Checkpoint
    RP689: 11/15/2011 8:33:41 PM - System Checkpoint
    RP690: 11/16/2011 9:59:39 PM - System Checkpoint
    RP691: 11/21/2011 11:55:53 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    µTorrent
    7-Zip 4.65
    Acronis*True*Image*Home
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Shockwave Player 11
    Agere Systems HDA Modem
    Album Art Downloader XUI 0.37.1
    allTunes
    Auto Gordian Knot 2.55
    Avira Free Antivirus
    AviSynth 2.5
    CamStudio
    CamStudio Lossless Codec
    CDBurnerXP
    Conduit Engine
    Critical Update for Windows Media Player 11 (KB959772)
    CutePDF Writer 2.7
    DVD Flick 1.3.0.7
    DVD43 v4.6.0
    EasyToon 1.9.9 EN FINAL
    Exact Audio Copy 1.0beta1
    Fiesta Download Manager
    FileZilla Client 3.4.0
    FileZilla Server (remove only)
    Foxit Reader
    HDHomeRun
    High Definition Audio Driver Package - KB888111
    Hitman Pro 3.5
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB958655-v2)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    ImgBurn
    Infor ERP FACTS 7.7
    Intel(R) Graphics Media Accelerator Driver
    Jaangle music management
    Java Auto Updater
    Java(TM) 6 Update 29
    Java(TM) 6 Update 7
    Java(TM) SE Development Kit 6 Update 21
    JGoodies JDiskReport 1.3.2
    JGoodies Looks Demo
    Kat CD Ripper
    Legalsounds Download Manager
    Logitech Harmony Remote Software
    MagicDisc 2.7.106
    Malwarebytes' Anti-Malware version 1.51.2.1300
    MediaMonkey 3.2
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Help Viewer 1.0
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft SQL Server 2008
    Microsoft SQL Server 2008 Browser
    Microsoft SQL Server 2008 Common Files
    Microsoft SQL Server 2008 Database Engine Services
    Microsoft SQL Server 2008 Database Engine Shared
    Microsoft SQL Server 2008 Native Client
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server 2008 RsFx Driver
    Microsoft SQL Server 2008 Setup Support Files (English)
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft SQL Server System CLR Types
    Microsoft SQL Server VSS Writer
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C# 2010 Express - ENU
    Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
    Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
    Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
    Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
    Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
    MinGW-Get version 0.1-alpha-5
    Mozilla Firefox 4.0b7 (x86 en-US)
    Mozilla Firefox 8.0 (x86 en-US)
    Mozilla Thunderbird (3.1.15)
    Mp3tag v2.48
    MSXML 6.0 Parser (KB933579)
    NETGEAR WG111v3 wireless USB 2.0 adapter
    NOOK for PC
    OpenVPN 2.2.0
    Palm
    PC Wizard 2010.1.95
    PdaNet 4.12 for Treo 700p/755p/Centro
    Phun beta 4.22
    puTTY Release 0.58
    QMC
    QT Lite 2.8.0
    Safari
    SageTV Placeshifter
    Sandboxie 3.48
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SigmaTel Audio
    SonicWALL Global VPN Client
    Speccy
    Spotify
    Sql Server Customer Experience Improvement Program
    Switch Sound File Converter
    Synergy
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    uTorrentBar Toolbar
    Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
    VLC media player 1.1.11
    VNC Free Edition 4.1.3
    VobSub v2.23 (Remove Only)
    WebFldrs XP
    Winamp
    Windows Driver Package - Intel (NETw5x32) net (07/08/2008 12.0.0.82)
    Windows Driver Package - Intel (w29n51) net (12/19/2007 9.0.4.39)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    World of Warcraft
    Xvid 1.1.3 final uninstall
    XviD MPEG4 Video Codec (remove only)
    Yahoo! Detect
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/21/2011 11:15:08 AM, error: Dhcp [1002] - The IP address lease 192.168.254.156 for the Network Card with network address 00E0B8F9DBD2 has been denied by the DHCP server 216.215.237.174 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, Gary. I'll help with the problems, but would like to make some comments first:
    1. . The Avira AntiVir Rescue System a linux-based application that allows accessing computers that cannot be booted anymore. That doesn't sound appropriate for what you're telling me. We will need to try and find the hidden processes that are bothering Avira.
    2. . Please remove Hitman: if you have paid for this program, you should request your money back. It is a bundle of free programs, all available on the internet. But the scam is that Hitman will only 'fix' problems free during the Trial Period> after that you have to pay for the program. But if you had gotten the free programs from the internet, they would have been fully functional> free.
    3. . There are multiple entries for uTorrent and it's Toolbar. Please disable those while I'm helping you.
    4. . The system is showing that Root Repeal is running. Please disable and/or uninstall that..
    5. . I notice that you have Sandboxie 3.48 installed. Please check the following:
    =================================================
    Now let's see if we can find what's hiding:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =====================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =========================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. garys

    garys TS Rookie Topic Starter

    Thanks.

    Thought I'd better check with you on a couple of the answers to your questions before going any farther.

    1. Yeah, didn't make sense to me either. Just decided to try what was suggested...
    2. Done.
    3. Doesn't show as running in task mgr. Any idea how I would disable?
    4. This one doesn't show in task mgr either. I looked through the logs and noticed a mention of 'rootrepeal.sys' in the drivers folder. Is this what you're referring too? If so, do you want me to delete that file?
    5. Checked. None seem to apply.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'll remove the entries for #2, 3 and 4 with script I'll write for you to run through Combofix. In the meantime, please don't use any of the uTorrent processes.

    From what you've told me and from what I've seen so far, Avira was not correct in suggesting that tool. Don't be blindly led unless you have enough information.

    Please go ahead with the scans.
     
  5. garys

    garys TS Rookie Topic Starter

    ComboFix 11-11-22.03 - gsieker 11/22/2011 21:43:19.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2400 [GMT -6:00]
    Running from: c:\documents and settings\gsieker\Desktop\ComboFix.exe
    AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\cygwin\bin\cyglsa\cyglsa.dll
    C:\Install.exe
    c:\windows\CSC\d6
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-23 to 2011-11-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-21 18:22 . 2011-11-21 18:27 -------- d-----w- C:\bd_logs
    2011-11-17 22:08 . 2011-11-05 06:53 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-11-17 22:08 . 2011-11-05 06:53 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-11-17 22:08 . 2011-11-05 06:53 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-11-17 22:08 . 2011-11-05 06:53 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-11-17 22:08 . 2011-11-05 06:53 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-11-17 22:08 . 2011-11-05 06:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-11-17 22:08 . 2011-11-05 03:21 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-11-17 22:08 . 2011-11-05 03:21 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-11-16 01:50 . 2011-11-16 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-16 01:50 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-16 01:41 . 2011-11-16 01:41 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-11-16 01:41 . 2011-11-16 01:41 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-11-16 01:39 . 2011-11-16 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2011-11-09 19:09 . 2011-11-09 19:09 -------- d-----w- c:\documents and settings\gsieker\Application Data\Avira
    2011-11-09 19:08 . 2011-09-18 14:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-11-09 19:08 . 2011-09-16 05:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-11-09 19:08 . 2011-11-09 19:08 -------- d-----w- c:\program files\Avira
    2011-11-09 19:08 . 2011-11-09 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-10-31 18:05 . 2011-10-31 18:05 -------- d-----w- c:\program files\OpenVPN
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-21 17:17 . 2011-05-25 14:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2008-08-26 19:06 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-10-03 10:06 . 2010-06-13 19:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-03 07:37 . 2009-03-16 18:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-28 07:06 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-16 05:55 . 2010-02-04 04:24 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-09-06 13:20 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-11-05 06:53 . 2011-11-17 22:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
    .
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2010-12-09 18:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    2010-12-09 18:51 3911776 ----a-w- c:\program files\uTorrentBar\tbuTor.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
    .
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-08-09 389352]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-08-22 303104]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 143360]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-27 163840]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-27 135168]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-10-13 4344472]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-10-13 960376]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-10-13 165144]
    "FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2010-10-17 1259008]
    "dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
    .
    c:\documents and settings\gsieker\Start Menu\Programs\Startup\
    MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-3-27 576000]
    PdaNet Desktop.lnk - c:\program files\PdaNet 4.12\PdaNet.exe [2010-3-18 185560]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2009-10-15 471040]
    NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2009-12-23 2330624]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\SageTV\\Placeshifter\\SageTVPlaceshifter.exe"=
    "c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
    "c:\\Program Files\\RealVNC\\VNC4\\vncviewer_pe.exe"=
    "c:\\Program Files\\PdaNet 4.12\\PdaNet.exe"=
    "c:\\Program Files\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files - No install\\eclipse\\eclipse.exe"=
    "c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_config_gui.exe"=
    "c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_quicktv.exe"=
    "c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_setup.exe"=
    "c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_config.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\WINDOWS\\system32\\java.exe"=
    "c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=
    "c:\\Program Files\\FileZilla Server\\FileZilla server.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
    "c:\\Program Files\\OpenVPN\\bin\\openvpn.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
    .
    R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [12/18/2008 11:23 PM 971232]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [11/9/2011 1:08 PM 36000]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/9/2011 1:08 PM 86224]
    R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 12:13 PM 38144]
    R2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2/23/2011 1:11 PM 68096]
    R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [3/18/2010 5:10 PM 8576]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]
    S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [7/31/2009 2:12 PM 341504]
    S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [7/20/2009 4:38 PM 79888]
    S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 6:28 PM 47128]
    S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 1:49 AM 242712]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 6:28 PM 369688]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-03 c:\windows\Tasks\switchShakeIcon.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2011-05-31 00:57]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\gsieker\Application Data\Mozilla\Firefox\Profiles\2q2zfxjg.default\
    FF - prefs.js: browser.search.selectedEngine - Clusty
    .
    - - - - ORPHANS REMOVED - - - -
    .
    ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-22 21:52
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2544)
    c:\windows\system32\WININET.dll
    c:\program files\MediaMonkey\DeskPlayer.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\FileZilla Server\FileZilla Server.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    c:\program files\CDBurnerXP\NMSAccessU.exe
    c:\program files\Sandboxie\SbieSvc.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\RealVNC\VNC4\WinVNC4.exe
    c:\cygwin\usr\sbin\sshd.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\stsystra.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\PdaNet 4.12\PdaNetUm.exe
    c:\progra~1\COMMON~1\JFTech\PALMON~1.EXE
    .
    **************************************************************************
    .
    Completion time: 2011-11-22 21:57:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-23 03:57
    .
    Pre-Run: 29,835,362,304 bytes free
    Post-Run: 31,108,374,528 bytes free
    .
    - - End Of File - - 0B8FCAF2C78D4E5AFFBC6B3AADE0A7C1
     
  6. garys

    garys TS Rookie Topic Starter

    ESET results:

    No malware found.

    One slightly confusing thing in the eset directions:

    In the alternate browsers instructions, clicking directly on the posted image for 'esetsmartinstaller_enu', as directed, doesn't seem to do anything. That image also doesn't seem to appear anywhere on the ESETOnlineScan page link posted above the image. Now it's just a blue link that appears in the middle of a popup when you click the ESET Online Scanner button or the download link. Just an fyi that the wording could use a little touch-up.
     
  7. garys

    garys TS Rookie Topic Starter

    Any comments on scan results above? Seems like this thread got lost...
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No, the thread didn't get lost. I have spent the holiday enjoying my family.

    I think you misunderstood what the image was. Read the directions again and look for the icon that loaded to the desktop. It just semantics- the first 'click on image' is referring to the download' button' for the installer. This gives you a new Window with the link to click on. The link should then be on the desktop for the installer: [​IMG]
    ========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    KillAll::
    File::
    c:\windows\system32\drivers\hitmanpro35.sys
    Folder::
    c:\program files\Hitman Pro 3.5
    c:\documents and settings\All Users\Application Data\Hitman Pro
    DDS::
    uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
    BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
    TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
    ClearJavaCache::
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    
    Reboot::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================================
    I haven't seen any indication of a hidden process. How is the system running? Any related problems?
    ====================================
    Do you realize that you have 4 versions of Firefox on the system?
    Mozilla Firefox 4.0b7 (x86 en-US)
    Mozilla Firefox 8.0 (x86 en-US)
    =====================================
    If you celebrate Thanksgiving, I hope you are having a nice weekend.:)
     
  9. garys

    garys TS Rookie Topic Starter

    Thanks for the reply.

    I'm glad you got to spend time with your family for the holiday. Good to make time to spend time with the family.

    I re-read the eset installation instructions, and I see what you mean. The part about clicking on the extra link in the pop-up window is simply omitted from the directions altogether. I was just suggesting that they could be made a bit more clear.
    ===
    I haven't noticed any specific problem with the system, although there has been one strange behavior: I have a notification for the last several days telling me that firefox is not the default browser. Each time, I take the option to make it the default. I have not changed this, so, this seems odd.
    ===
    On the firefox versions, yes, I sometimes keep older versions around for testing. I don't use them much, and haven't lately.
    ===
    I am still receiving a daily message that one or more 'hidden objects' have been found, so I still think something is going on.

    Again, thanks for the assistance and Happy Thanksgiving.

    I ran combofix again as requested. Here's the log:

    ComboFix 11-11-27.02 - gsieker 11/27/2011 11:42:28.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.1510 [GMT -6:00]
    Running from: c:\documents and settings\gsieker\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\gsieker\Desktop\CFScript.txt
    AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    FILE ::
    "c:\windows\system32\drivers\hitmanpro35.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\Hitman Pro
    c:\documents and settings\All Users\Application Data\Hitman Pro\Banner.bin
    c:\program files\conduitengine\ConduitEngine.dll
    c:\program files\Hitman Pro 3.5
    c:\program files\Hitman Pro 3.5\HitmanPro35.exe
    c:\program files\utorrentbar\tbuTor.dll
    c:\windows\CSC\d6
    c:\windows\system32\drivers\hitmanpro35.sys
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-27 to 2011-11-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-23 18:09 . 2011-11-23 18:09 -------- d-----w- c:\documents and settings\gsieker\Application Data\1_8_2.minecraft
    2011-11-23 04:23 . 2011-11-23 04:23 -------- d-----w- c:\program files\ESET
    2011-11-21 18:22 . 2011-11-21 18:27 -------- d-----w- C:\bd_logs
    2011-11-17 22:08 . 2011-11-05 06:53 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-11-17 22:08 . 2011-11-05 06:53 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-11-17 22:08 . 2011-11-05 06:53 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-11-17 22:08 . 2011-11-05 06:53 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-11-17 22:08 . 2011-11-05 06:53 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-11-17 22:08 . 2011-11-05 06:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-11-17 22:08 . 2011-11-05 03:21 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-11-17 22:08 . 2011-11-05 03:21 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-11-16 01:50 . 2011-11-16 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-16 01:50 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-09 19:09 . 2011-11-09 19:09 -------- d-----w- c:\documents and settings\gsieker\Application Data\Avira
    2011-11-09 19:08 . 2011-09-18 14:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-11-09 19:08 . 2011-09-16 05:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-11-09 19:08 . 2011-11-09 19:08 -------- d-----w- c:\program files\Avira
    2011-11-09 19:08 . 2011-11-09 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-10-31 18:05 . 2011-10-31 18:05 -------- d-----w- c:\program files\OpenVPN
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-21 17:17 . 2011-05-25 14:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2008-08-26 19:06 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-10-03 10:06 . 2010-06-13 19:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-03 07:37 . 2009-03-16 18:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-28 07:06 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-16 05:55 . 2010-02-04 04:24 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-09-06 13:20 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-11-05 06:53 . 2011-11-17 22:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-11-23_03.52.17 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-11-27 17:48 . 2011-11-27 17:48 16384 c:\windows\temp\Perflib_Perfdata_704.dat
    + 2006-02-28 12:00 . 2011-11-23 03:56 604270 c:\windows\system32\perfh009.dat
    - 2006-02-28 12:00 . 2011-11-23 03:45 604270 c:\windows\system32\perfh009.dat
    + 2006-02-28 12:00 . 2011-11-23 03:56 127676 c:\windows\system32\perfc009.dat
    - 2006-02-28 12:00 . 2011-11-23 03:45 127676 c:\windows\system32\perfc009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-08-09 389352]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-08-22 303104]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 143360]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-27 163840]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-27 135168]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-10-13 4344472]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-10-13 960376]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-10-13 165144]
    "FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2010-10-17 1259008]
    "dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
    .
    c:\documents and settings\gsieker\Start Menu\Programs\Startup\
    MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-3-27 576000]
    PdaNet Desktop.lnk - c:\program files\PdaNet 4.12\PdaNet.exe [2010-3-18 185560]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2009-10-15 471040]
    NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2009-12-23 2330624]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\SageTV\\Placeshifter\\SageTVPlaceshifter.exe"=
    "c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
    "c:\\Program Files\\RealVNC\\VNC4\\vncviewer_pe.exe"=
    "c:\\Program Files\\PdaNet 4.12\\PdaNet.exe"=
    "c:\\Program Files\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files - No install\\eclipse\\eclipse.exe"=
    "c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_config_gui.exe"=
    "c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_quicktv.exe"=
    "c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_setup.exe"=
    "c:\\Program Files\\Silicondust\\HDHomeRun\\hdhomerun_config.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\WINDOWS\\system32\\java.exe"=
    "c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=
    "c:\\Program Files\\FileZilla Server\\FileZilla server.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
    "c:\\Program Files\\OpenVPN\\bin\\openvpn.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
    .
    R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [12/18/2008 11:23 PM 971232]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [11/9/2011 1:08 PM 36000]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/9/2011 1:08 PM 86224]
    R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 12:13 PM 38144]
    R2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2/23/2011 1:11 PM 68096]
    R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [3/18/2010 5:10 PM 8576]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]
    S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [7/31/2009 2:12 PM 341504]
    S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [7/20/2009 4:38 PM 79888]
    S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 6:28 PM 47128]
    S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 1:49 AM 242712]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 6:28 PM 369688]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-03 c:\windows\Tasks\switchShakeIcon.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2011-05-31 00:57]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\gsieker\Application Data\Mozilla\Firefox\Profiles\2q2zfxjg.default\
    FF - prefs.js: browser.search.selectedEngine - Clusty
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-27 11:49
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1212)
    c:\windows\system32\WININET.dll
    c:\program files\MediaMonkey\DeskPlayer.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\FileZilla Server\FileZilla Server.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    c:\program files\CDBurnerXP\NMSAccessU.exe
    c:\program files\Sandboxie\SbieSvc.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\RealVNC\VNC4\WinVNC4.exe
    c:\cygwin\usr\sbin\sshd.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\stsystra.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\PdaNet 4.12\PdaNetUm.exe
    c:\progra~1\COMMON~1\JFTech\PALMON~1.EXE
    c:\program files\Avira\AntiVir Desktop\avnotify.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-27 11:54:22 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-27 17:54
    ComboFix2.txt 2011-11-23 03:57
    .
    Pre-Run: 31,363,141,632 bytes free
    Post-Run: 31,349,772,288 bytes free
    .
    - - End Of File - - 0030C6C290372A44FC76744D605A54AE
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Regarding this:
    I have found that you not only have to check the this: In Firefox> Tools> Options> Advanced> General> Default> "Always have Firefox check to see that it is the default browser", but you also have to uncheck "Internet Explorer should always check to see if it's the default browser."

    IE is very pushy and if you don't take away it's toys, it will use them!
    ===============================
    The Combofix log looks good. I would like to remove just one more entry:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    KillAll::
    File::
    ClearJavaCache::
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . You do not need to leave the new log unless there have been any additional problems.
    ====================
    There was no indication of hidden files in Combofix
    ==================================
    I would also encourage you to uninstall uTorrent> here's why:
    P2P or 'file sharing' Warning:
    • Even if you are using a "safe" P2P program, it is only the program that is safe.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.
    Please read the information on P2P Warning to help you better understand these dangers.
    =================================
    Be sure you have uninstalled this outdated program: Java(TM) 6 Update 7
    ================================
    One quick last scan:
    First, set up a Directory for HijackThis as follows:
    Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
    Exit Explorer
    You now have a folder C:\HijackThis
    -----------------------------------------
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.
    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...