Solved Can't get rid of armdl.adobe.com svchost virus

[caydee]

Hi there

A few days ago, my AVG internet security started displaying a virus notification every five minutes:
armdl.adobe.com/pub/adobe/reader/win/9x/9.4.0/en_US/AdbeRdr940_en_US.msi
Virus found LOP
Process name: C:\Windows\system32\svchost.eve
Process ID: 1176 (this changes)

AVG as well as ESET (installed after it started appearing) pick up nothing. Nor does Malwarebytes. I followed your 8 step program and here are my logs:

MALWAREBYTES:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5542

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

1/17/2011 21:54:40
mbam-log-2011-01-17 (21-54-40).txt

Scan type: Quick scan
Objects scanned: 155673
Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-17 21:31:56
Windows 6.1.7600
Running: 15qtyh2t.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\

---- EOF - GMER 1.0.15 ----

DDS:


DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Caitlin at 21:55:21.47 on Mon 01/17/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.816 [GMT 2:00]

AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
AV: AVG Internet Security *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: AVG Internet Security *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
C:\Windows\system32\lsm.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
C:\Program Files (x86)\AVG\AVG9\avgfws9.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files (x86)\AVG\AVG9\avgemc.exe
C:\Program Files (x86)\AVG\AVG9\avgam.exe
C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Users\Caitlin\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Users\Caitlin\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files (x86)\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Program Files (x86)\Logitech\LWS\LU\LULnchr.exe
C:\Program Files (x86)\Logitech\LWS\LU\LogitechUpdate.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Caitlin\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
mWinlogon: Userinit=userinit.exe
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [googletalk] C:\Users\Caitlin\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
uRun: [Google Update] "C:\Users\Caitlin\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Logitech Vid HD] "C:\Program Files (x86)\Logitech\Vid\vid.exe" -bootmode
mRun: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
mRun: [MobileConnect] C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files (x86)\Silver Sands Poker\GameClient.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre6\bin\jp2iexp.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [IgfxTray] C:\Windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe
mRun-x64: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun-x64: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
AppInit_DLLs-X64: avgrssta.dll

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Caitlin\AppData\Roaming\Mozilla\Firefox\Profiles\acrpqnig.default\
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Users\Caitlin\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrw7a;AVG9IDSErHr;C:\Windows\System32\drivers\AVGIDSwa.sys [2010-5-1 27216]
R0 AvgRkx64;avgrkx64.sys;C:\Windows\System32\drivers\avgrkx64.sys [2010-5-1 56008]
R1 Avgfwfd;AVG network filter service;C:\Windows\System32\drivers\avgfwd6a.sys [2010-5-1 29976]
R1 AvgLdx64;AVG AVI Loader Driver x64;C:\Windows\System32\drivers\avgldx64.sys [2010-5-1 269904]
R1 AvgMfx64;AVG On-access Scanner Minifilter Driver x64;C:\Windows\System32\drivers\avgmfx64.sys [2010-5-1 35536]
R1 AvgTdiA;AVG Network Redirector x64;C:\Windows\System32\drivers\avgtdia.sys [2010-5-1 317520]
R2 avg9emc;AVG E-mail Scanner;C:\Program Files (x86)\AVG\AVG9\avgemc.exe [2010-6-22 921952]
R2 avg9wd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe [2010-6-22 308136]
R2 avgfws9;AVG Firewall;C:\Program Files (x86)\AVG\AVG9\avgfws9.exe [2010-6-22 2331544]
R2 AVGIDSAgent;AVG9IDSAgent;C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2010-6-22 5897808]
R2 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2010-9-3 170104]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2010-11-4 810144]
R2 epfwwfpr;epfwwfpr;C:\Windows\System32\drivers\epfwwfpr.sys [2010-7-29 126320]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe [2010-5-7 197976]
R2 TeamViewer5;TeamViewer 5;C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe [2010-4-16 173352]
R3 AVGIDSDriverw7a;AVG9IDSDriver;C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN764\AVGIDSDriver.sys [2010-5-1 132688]
R3 AVGIDSFilterw7a;AVG9IDSFilter;C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN764\AVGIDSFilter.sys [2010-5-1 35920]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\System32\drivers\LVPr2M64.sys [2010-5-7 30304]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-14 292864]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-14 1485312]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-14 740864]
S2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2009-12-23 370688]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files (x86)\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-10-26 517448]
S3 LVUVC64;Logitech Webcam 120(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2010-7-27 6465632]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-4-19 50688]

=============== Created Last 30 ================

2011-01-17 19:47:04 -------- d-----w- C:\Users\Caitlin\AppData\Roaming\Malwarebytes
2011-01-17 19:46:57 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-17 19:46:56 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-01-17 19:46:53 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-01-17 19:46:53 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-01-16 17:08:37 388096 ----a-r- C:\Users\Caitlin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-16 17:08:34 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-01-12 09:34:45 3124224 ----a-w- C:\Windows\System32\win32k.sys
2011-01-12 09:32:45 720896 ----a-w- C:\Windows\System32\odbc32.dll
2011-01-12 09:31:42 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll
2011-01-12 09:30:38 516096 ----a-w- C:\Program Files\Windows Mail\wab.exe
2011-01-12 09:30:38 516096 ----a-w- C:\Program Files (x86)\Windows Mail\wab.exe
2011-01-12 09:30:38 35328 ----a-w- C:\Program Files\Windows Mail\wabfind.dll
2011-01-12 09:30:37 463360 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-01-12 09:30:37 402944 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-01-12 09:30:37 236032 ----a-w- C:\Windows\System32\srvsvc.dll
2011-01-12 09:30:36 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2011-01-12 09:30:36 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-01-12 09:30:35 112000 ----a-w- C:\Windows\System32\consent.exe
2011-01-12 09:18:39 -------- d-----w- C:\Program Files\ESET
2011-01-12 08:21:07 691 ----a-w- C:\Users\Caitlin\AppData\Roaming\GetValue.vbs
2011-01-12 08:21:07 35 ----a-w- C:\Users\Caitlin\AppData\Roaming\SetValue.bat
2011-01-12 08:21:07 2130 ----a-w- C:\Windows\SysWow64\tmp.reg
2010-12-30 15:44:52 176488 ----a-w- C:\PROGRA~3\Microsoft\Windows\Sqm\Manifest\Sqm10136.bin

==================== Find3M ====================

2010-12-06 11:41:44 720896 ----a-w- C:\Windows\iun6002.exe
2010-11-12 16:53:06 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-11-04 06:35:53 1194496 ----a-w- C:\Windows\System32\wininet.dll
2010-11-04 06:31:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-11-04 05:52:17 978944 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-11-04 05:16:14 482816 ----a-w- C:\Windows\System32\html.iec
2010-11-04 04:41:26 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-11-04 04:35:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-11-04 04:08:54 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-11-02 05:18:17 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-11-02 05:17:38 473600 ----a-w- C:\Windows\System32\taskcomp.dll
2010-11-02 05:17:38 1169408 ----a-w- C:\Windows\System32\taskschd.dll
2010-11-02 05:16:53 1114624 ----a-w- C:\Windows\System32\schedsvc.dll
2010-11-02 05:10:47 464384 ----a-w- C:\Windows\System32\taskeng.exe
2010-11-02 05:10:32 285696 ----a-w- C:\Windows\System32\schtasks.exe
2010-11-02 04:40:36 496128 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-11-02 04:34:44 192000 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- C:\Windows\SysWow64\schtasks.exe
2010-10-27 05:06:22 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-10-27 04:32:36 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-10-26 07:24:47 114688 ----a-w- C:\Windows\keymail.dll
2010-10-20 05:20:01 46080 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-20 04:54:18 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-20 03:05:46 367104 ----a-w- C:\Windows\System32\atmfd.dll
2010-10-20 02:58:41 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll

============= FINISH: 21:56:53.97 ===============

ATTACH:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 5/1/2010 13:37:31
System Uptime: 1/17/2011 21:32:49 (0 hours ago)

Motherboard: Dell Inc. | | 0KU184
Processor: Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz | Microprocessor | 1782/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 17.759 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP98: 1/16/2011 19:52:07 - Removed Rapport
RP99: 1/16/2011 19:53:46 - Removed QuickTime
RP100: 1/17/2011 15:52:56 - Installed Java(TM) 6 Update 23

==== Installed Programs ======================

µTorrent
Adobe Flash Player 10 Plugin
Advertising Center
Apple Application Support
Apple Software Update
AVG 9.0
BlackBerry Desktop Software 6.0
BlackBerry Device Manager 6.0
CameraHelperMsi
erLT
Google Chrome
Google Talk (remove only)
GTK+ Runtime 2.14.7 rev a (remove only)
HiJackThis
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 23
LiveUpdate 3.3 (Symantec Corporation)
Logitech Webcam Software
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Pictures And Video
LWS Video Mask Maker
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9 Lite
Nero ControlCenter
Nero Installer
Nero Online Upgrade
Nero StartSmart
neroxml
NoteTab Light 5 (Remove only)
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype Toolbars
Skype™ 4.2
Striata Reader
TeamViewer 5
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2483110)
VirtualCloneDrive
Visual C++ 8.0 Runtime Setup Package (x64)
Vodafone Mobile Connect
VoiceOver Kit
WinAce Archiver
Windows Live Sign-in Assistant
Windows Live Upload Tool

==== Event Viewer Messages From Past Week ========

1/17/2011 20:32:48, Error: Service Control Manager [7034] - The AVG9IDSAgent service terminated unexpectedly. It has done this 1 time(s).
1/17/2011 17:22:54, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.
1/17/2011 00:09:35, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Vodafone Mobile Connect Service service to connect.
1/16/2011 19:16:35, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
1/16/2011 19:16:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/16/2011 19:16:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/16/2011 19:16:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
1/16/2011 19:16:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
1/16/2011 19:16:32, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/16/2011 19:16:24, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/16/2011 19:16:14, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgfwfd AvgLdx64 AvgMfx64 AvgTdiA CSC DfsC discache ehdrv ElbyCDIO NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx Wanarpv6 WfpLwf
1/16/2011 19:16:14, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/16/2011 19:16:14, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/16/2011 19:16:14, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
1/16/2011 19:16:14, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/16/2011 19:16:14, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/16/2011 19:16:14, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
1/16/2011 19:16:14, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/16/2011 19:16:14, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/16/2011 19:16:14, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/16/2011 19:16:14, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/16/2011 19:15:47, Error: sptd [4] - Driver detected an internal error in its data structures for .
1/16/2011 18:58:41, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c2 (0x0000000000000007, 0x0000000000001097, 0x0000000000000000, 0xfffff8a00941e010). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 011611-27097-01.
1/13/2011 16:42:52, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{0C9CD892-B0C2-4226-A056-69A41939A969} because another computer on the network has the same name. The server could not start.
1/13/2011 08:20:01, Error: Service Control Manager [7022] - The Windows Search service hung on starting.
1/13/2011 08:16:55, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
1/12/2011 13:14:30, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c2 (0x0000000000000007, 0x0000000000001097, 0x0000000000000000, 0xfffffa8001ebd010). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 011211-40638-01.
1/12/2011 13:03:43, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000019 (0x0000000000000022, 0xfffffa8000000000, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 011211-42713-01.
1/12/2011 10:17:18, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgfwfd AvgLdx64 AvgMfx64 AvgTdiA CSC DfsC discache ElbyCDIO NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx Wanarpv6 WfpLwf
1/12/2011 09:48:51, Error: Service Control Manager [7023] - The Windows Modules Installer service terminated with the following error: The configuration registry database is corrupt.
1/10/2011 16:53:16, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the TeamViewer5 service.

==== End Of File ===========================

Please help

 

[Bobbye]

Welcome to TechSpot! I'll help you find the cause of the problem.

First thing you must do though is remove one of the 3 antivirus programs you have running.
AVG
EsetNod32
McAfee
Having multiple AV programs-and firewalls will make your system more vulnerable. I will have you do an online Eset scan later. Here are tools to help with removal of program you don't want to keep:

1. AVG Remover:64 bit
AVG Remover eliminates all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc.
Note: You will be asked during the removal procedure to restart your computer. Please do so.
Make sure there is no open work in process prior to launching AVG Remover.
2. Eset Nod32 Uninstall
3. McAfee Removal
Please reboot the computer when finished.
===============================================
Note: To run the following Combofix scan, you will be required to uninstall AVG. The program will not run otherwise and there is no way to disable all of the processes. I recommend that you remove AVG and McAfee and keep Eset Nod32- the latter is the better of the programs in my opinion.
================================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Query- Recovery Console image
  
  
  
  

  WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes it will open a text window. Please paste that log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=========================================
armdl.adobe.com is the Domain name for NTT-COMMUNICATIONS-2914 - NTT America, Inc.
OrgName: NTT America, Inc.
OrgId: NTTAM-1
Address: 8005 South Chester Street
Address: Suite 200
City: Centennial
StateProv: CO
==========================================
I need to see the IP on your system:
Click on Start> Run> type in cmd> enter> at the C prompt, type in netstat -an
Note that there is a space after netstat before the -an.

I need to see what is on your system for Name Server. I don't see any proxy setting in these logs. Please advise me if you have proxies set.
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[caydee]

Svchost.exe virus combofix results

Hi there

Thank you for your help. I uninstalled all the antivirus software on my PC, including ESET.

I then ran Combofix and here is the log: (it did not ask me to install Windows recovery console)

ComboFix 11-01-17.04 - Caitlin 01/18/2011 11:19:22.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.1142 [GMT 2:00]
Running from: c:\users\Caitlin\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\System3215.exe
c:\windows\SysWow64\404Fix.exe
c:\windows\SysWow64\Agent.OMZ.Fix.exe
c:\windows\SysWow64\dumphive.exe
c:\windows\SysWow64\IEDFix.C.exe
c:\windows\SysWow64\IEDFix.exe
c:\windows\SysWow64\o4Patch.exe
c:\windows\SysWow64\Process.exe
c:\windows\SysWow64\SrchSTS.exe
c:\windows\SysWow64\tmp.reg
c:\windows\SysWow64\VACFix.exe
c:\windows\SysWow64\VCCLSID.exe
c:\windows\SysWow64\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-18 to 2011-01-18 )))))))))))))))))))))))))))))))
.

2011-01-18 09:28 . 2011-01-18 09:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-18 08:54 . 2011-01-18 08:54 -------- d-s---w- c:\windows\SysWow64\Microsoft
2011-01-17 19:47 . 2011-01-17 19:47 -------- d-----w- c:\users\Caitlin\AppData\Roaming\Malwarebytes
2011-01-17 19:46 . 2010-12-20 16:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-17 19:46 . 2011-01-17 19:46 -------- d-----w- c:\programdata\Malwarebytes
2011-01-17 19:46 . 2011-01-17 19:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-01-17 19:46 . 2010-12-20 16:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-16 17:08 . 2011-01-16 17:08 388096 ----a-r- c:\users\Caitlin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-16 17:08 . 2011-01-16 17:08 -------- d-----w- c:\program files (x86)\Trend Micro
2011-01-12 09:34 . 2010-10-20 03:09 3124224 ----a-w- c:\windows\system32\win32k.sys
2011-01-12 09:32 . 2010-10-16 05:17 720896 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 09:31 . 2010-08-31 04:32 954752 ----a-w- c:\windows\SysWow64\mfc40.dll
2011-01-12 09:30 . 2010-10-12 05:05 35328 ----a-w- c:\program files\Windows Mail\wabfind.dll
2011-01-12 09:30 . 2010-10-12 05:00 516096 ----a-w- c:\program files\Windows Mail\wab.exe
2011-01-12 09:30 . 2010-10-12 04:25 516096 ----a-w- c:\program files (x86)\Windows Mail\wab.exe
2011-01-12 09:30 . 2010-08-27 06:14 236032 ----a-w- c:\windows\system32\srvsvc.dll
2011-01-12 09:30 . 2010-08-27 03:38 463360 ----a-w- c:\windows\system32\drivers\srv.sys
2011-01-12 09:30 . 2010-08-27 03:37 402944 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-01-12 09:30 . 2010-08-27 05:46 9728 ----a-w- c:\windows\SysWow64\sscore.dll
2011-01-12 09:30 . 2010-08-27 03:37 161792 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-01-12 09:30 . 2010-10-16 05:23 112000 ----a-w- c:\windows\system32\consent.exe
2011-01-12 08:21 . 2011-01-16 17:19 691 ----a-w- c:\users\Caitlin\AppData\Roaming\GetValue.vbs
2011-01-12 08:21 . 2011-01-16 17:19 35 ----a-w- c:\users\Caitlin\AppData\Roaming\SetValue.bat
2010-12-30 15:44 . 2010-12-30 15:44 176488 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10136.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-06 11:41 . 2010-12-06 11:42 720896 ----a-w- c:\windows\iun6002.exe
2010-11-12 16:53 . 2010-05-02 15:24 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2010-10-26 07:24 . 2010-10-26 07:24 114688 ----a-w- c:\windows\keymail.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-04-20 26192680]
"googletalk"="c:\users\Caitlin\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Google Update"="c:\users\Caitlin\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-09-02 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"MobileConnect"="c:\program files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-11-04 2087424]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-11-17 421160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

R3 LVUVC64;Logitech Webcam 120(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2010-07-27 6465632]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-04-19 50688]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-07-16 834544]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-05-07 197976]
S2 TeamViewer5;TeamViewer 5;c:\program files (x86)\TeamViewer\Version5\TeamViewer_Service.exe [2010-04-16 173352]
S2 VMCService;Vodafone Mobile Connect Service;c:\program files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2008-11-04 14336]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2010-05-07 30304]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]

.
Contents of the 'Scheduled Tasks' folder

2011-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2109998-1175625865-2874948040-1001Core.job
- c:\users\Caitlin\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-02 18:08]

2011-01-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2109998-1175625865-2874948040-1001UA.job
- c:\users\Caitlin\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-02 18:08]
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SYSTEM32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\users\Caitlin\AppData\Roaming\Mozilla\Firefox\Profiles\acrpqnig.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKCU-Run-msnmsgr - c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe
Wow6432Node-HKCU-Run-Logitech Vid HD - c:\program files (x86)\Logitech\Vid\vid.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-01-18 11:44:31
ComboFix-quarantined-files.txt 2011-01-18 09:44

Pre-Run: 19,594,711,040 bytes free
Post-Run: 19,474,944,000 bytes free

- - End Of File - - B1EC95968B4520EAD8AB233C26C34D6B

Here are the results of netstat -an (I do not have any proxies set)
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\Caitlin>netstat -an
Active Connections
========================================
Please advise.
Thanks again
========================================
Edit: Thank you. I have made note of the IPs and am deleting them for your safety.

 

[Bobbye]

Please install an antivirus program now. While you will need to disable it to run the following scan, you still need to have an AV program running. Use one of these free, good choices for now:
Avira Free
Avast Home

Please reboot the computer when done. Then run the following online virus scan:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I did not see any of the IPs I found associated with the adobe.adobe.com. I then deleted the IP information for your safety. I'll be checking the rest of the Combofix log while you do that.

 

[caydee]

Results of ESET onlinescanner

Log file:
ESETSmartInstaller@High as downloader log:
Can not extract cabC:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScanner.cabErr:The operation completed successfully.
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=1eea58f233e9f04d894c579e926188be
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-01-18 09:45:39
# local_time=2011-01-18 11:45:39 (+0200, South Africa Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 185718 185718 0 0
# compatibility_mode=1029 16777214 0 1 42069 42069 0 0
# compatibility_mode=5893 16776574 100 94 18759023 47833565 0 0
# compatibility_mode=8199 22379965 100 76 1361 6499826 0 0
# scanned=105247
# found=7
# cleaned=0
# scan_time=3728
# nod_component=V3 Build:0x30000000
C:\Qoobox\Quarantine\C\Windows\SysWOW64\Process.exe.vir Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Caitlin\Desktop\SmitfraudFix.exe multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Caitlin\Desktop\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Caitlin\Desktop\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Caitlin\Documents\Programs\SmitfraudFix.exe multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Caitlin\Documents\Programs\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Caitlin\Documents\Programs\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I




I installed ESET NOD32 trial version, as I already had a recent install file for it. I tried multiple times on both chrome and firefox to download either avast or avira (before installing ESET), but every time the download cut out midway (not due to a faulty internet connection).

SmitFraudFix is a anti-desktop hijack program i tried to get rid of the virus before, must I uninstall it?

 

[Bobbye]

I don't know where my reply went, but I did make it!

SmitFraudFix is a anti-desktop hijack program

No, it is not.

The author of the SmutFraudFix program has this description and this warning:

File Description:
SmitFraudFix is a tool that S!Ri created to remove rogue anti-spyware applications that utilize Trojans to issue fake taskbar security alerts or that change your background in order to scare you into purchasing the full commercial version of their software..
These infections are difficult to remove and are usually bundled with so much other malware, that traditional antispyware or antivirus programs have difficult completely cleaning these infections. Due to this a specialized tool was created in order to help a user clean their system of these infections.

I do not recommend using the tool without guidance from a qualified malware removal specialist!

IF you suspect malware, rather than look around the internet for some program to try, let us help you. You can damage the system and possibly get it unbootable.

I don't know where you downloaded this program- Possibly for a site that had bad entries. I am removing the infected files but I also recommend that you uninstall SmitFraudFix. This is a program that should only be run for certain malware infections. It is not a program you put on the system for security.
========================================
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Files  
  C:\Users\Caitlin\Desktop\SmitfraudFix.exe 
  C:\Users\Caitlin\Desktop\SmitfraudFix\Process.exe ;C
  :\Users\Caitlin\DesktopSmitfraudFixx\restartexee 
  C:\Users\Caitlin\Documents\ProgramsSmitfraudFixxexee 
  C:\Users\Caitlin\Documents\ProgramsSmitfraudFixx\Processexee 
  C:\Users\Caitlin\Documents\ProgramsSmitfraudFixx\restartexee 
  :Commands
  [purity]
  emptytempp]
  [start explorer]
  [Reboot]

• Return toOTMoveItt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red [bMoveitt![/b] button.
• A log of files and folders moved will be created in the c:_OTMoveIttMovedFiless folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close [bOTMoveItt3[/b]

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
============================================
Combofix removed files associated with SmitFraud. But since you ran the program previously and I don't know what was on the system and since Eset shows infected files, I'm not sure if you have left-over SF files from the program itself or whether it's the SF infection.

So run OTM and uninstall the SmitFraudFix. I will recommend other security programs for the system. After the uninstall, use Windows Explorer to delete the program folder:
Windows key + E> My Computer> Double click on Local Drive (C)> Programs> scroll to the SmitFraudFix folder and do a right click> Delete. Then close Windows Explorer.
Reboot
=========================================
Let me know how the system is running and scan with the following:
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[caydee]

Results of OTM and HiJackThis

Hi again

Sorry for using SmitFraudFix, the only reason I used it is because my old computer technician left it lying around my computer, and I was slightly insane/desperate
Didn't do any damage though.

Here are the results of OTM:
Error: Unable to interpret < > in the current context!
========== FILES ==========
C:\Users\Caitlin\Desktop\SmitfraudFix.exe moved successfully.
File/Folder C:\Users\Caitlin\Desktop\SmitfraudFix\Process.exe ;C not found.
Error: Unable to interpret <:\Users\Caitlin\DesktopSmitfraudFixx\restartexee > in the current context!
Error: Unable to interpret <C:\Users\Caitlin\Documents\ProgramsSmitfraudFixxexee > in the current context!
Error: Unable to interpret <C:\Users\Caitlin\Documents\ProgramsSmitfraudFixx\Processexee > in the current context!
Error: Unable to interpret <C:\Users\Caitlin\Documents\ProgramsSmitfraudFixx\restartexee > in the current context!
========== COMMANDS ==========

OTM by OldTimer - Version 3.1.17.2 log created on 01212011_111938

I manually deleted SmitFraudFix off my pc.
Here are the results of the HijackThis scan:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:45:58, on 1/21/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Users\Caitlin\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Users\Caitlin\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\Logitech\LWS\LU\LULnchr.exe
C:\Program Files (x86)\Logitech\LWS\LU\LogitechUpdate.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O4 - HKLM\..\Run: [MobileConnect] C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] C:\Users\Caitlin\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [Google Update] "C:\Users\Caitlin\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Silver Sands Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files (x86)\Silver Sands Poker\GameClient.exe (file missing)
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll (file missing)
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7559 bytes

However, I got two errors when attempting to run it. I have attached these.
I opened C:\Windows\System32\drivers\etc\hosts in notepad as indicated - it came up blank. I then tried to resave it as "hosts" and it came back as Access Denied.

 

[Bobbye]

I manually deleted SmitFraudFix off my pc.

Make sure you uninstalled it in add/Remove Programs and deleted the program folder.

Sorry about HJT. Must have had a brain drain yesterday- told 2 members with 64bit OS to run HJT and it doesn't scan properly. My bad! But what I do see is okay.

I think this is the bad guy: 2010-12-06 11:42 720896 ----a-w- c:\windows\iun6002.exe
This process is for Spyware.DsktopSurveil which logs keystrokes, program use, and captures screenshots. It can run in hidden mode. It monitors user Internet activity and private information. It sends stolen data to a hacker site. A one word description is keylogger.

Spyware.DsktopSurveil must be manually installed.

Did you install this? If not, did someone else have access to the system?

I cannot find any recommendation that this might be a keylogger that a user would install on their own system. It is considered dangerous. In short, your system has been compromised and since it can run hidden, there is no way fr you to know how long it's been on the system.

At this point, I strongly recommended that you change all of your passwords and monitor any financial transactions on the internet. You should reformat and reinstall the OS. Once done, if you establish that you are clean, you can set new passwords.

 

[caydee]

Spyware.DsktopSurveil

Hi there

I have no idea how that could have gotten onto my PC. Which is scary in itself. However, at least now I can remove it...

One question, I will reformat and reinstall but is it alright for me to copy my docs over to my portable harddrive or is it possible for the keylogger program to "jump across" like a worm?

I'm thinking probably not, but I wanted to make sure!
Thank you for all your help, I will let you know how it goes.

 

[Bobbye]

Most keylogger programs are transferred directly onto a user’s machine through a secondary storage device, like a DVD drive, or removable storage media, like USB flash drives. The files can also be attached to downloads from unsecured sources like most other malware, as keyloggers are essentially Trojans by nature.

So to be on the safe side, you should disinfect the flash drive first:

Threat Removal Procedure:

• 
  [1]. Download Flash_Disinfector and save it to your Desktop.
  [2]. After downloading, double-click on Flash_Disinfector to run it.
  [3]. Just follow the prompts and continue until it begin scanning.
  
  
  
  [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
  [5]. It will scan removable drives, wait for the scan to finish. Done.

What will Flash Disinfector Do
- Clean up junks created by flash malwares
- Deletes autorun.inf from every root folder
- Fix back damages done to your system
- Creates an autorun.inf folder in the root of your system drives

The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.

Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Reformatting must be done through the use of an installation CD. Since the machine is booted up through the use of an installation CD, the keylogger is no longer resident in the main memory and therefore is subject to removal.

Don't back u or transfer any executable files> files with .exe extension. If you have any doubt at all. scan the files on the flash drive before putting them back on the system.