[Active] Malware.Trace; Backdoor.Bot; Trojan.Shell;Trojan.Agent Found

wildbilliii · Nov 15, 2010

Hello and Thanks up front!!

IE8 will not connect to any webpages after my wife clicked on a spot last night while surfing the net.

I have followed your 8 steps and the results are pasted below:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5120

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

11/15/2010 7:49:48 AM
mbam-log-2010-11-15 (07-49-48).txt

Scan type: Quick scan
Objects scanned: 150100
Time elapsed: 11 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Data: c:\users\stacy\appdata\local\temp\dwm.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Stacy\AppData\Roaming\Microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Stacy\AppData\Roaming\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.
C:\Users\Stacy\AppData\Local\Temp\dwm.exe (Trojan.Agent) -> Quarantined and deleted successfully.

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-11-15 12:14:40
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5 WDC_WD1600BEVT-60ZCT1 rev.13.01A13
Running: 34svv3lk.exe; Driver: C:\Users\Stacy\AppData\Local\Temp\fglcypog.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

DDS (Ver_10-11-10.01) - NTFSx86
Run by Stacy at 12:15:07.56 on Mon 11/15/2010
Internet Explorer: 8.0.6001.18975
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.917 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxdvcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Ellie Mae\SCAppMgr\SCAppMgr.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\wspan\swgw\FilterAgent.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Windows\system32\DllHost.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Stacy\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50370
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\users\stacy\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\worlds~1.lnk - c:\wspan\swgw\FilterAgent.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: worldspan.com
Trusted Zone: wspan.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe -service --> c:\windows\system32\lxdvcoms.exe -service [?]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-25 365952]
R2 SCAppMgr;Smart Client App Manager;c:\program files\ellie mae\scappmgr\SCAppMgr.exe [2008-7-29 65536]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-25 193840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-6-26 66080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdvserv.exe [2007-10-18 98984]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2009-3-15 33024]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2009-3-15 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2009-3-15 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2009-3-15 59904]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-12 12:41:11 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{a7dd4ae4-c2aa-4d1c-a1bb-9762fbbe2c5b}\mpengine.dll
2010-11-09 19:25:24 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-11-08 03:09:13 -------- d-----w- c:\windows\system32\20-20 Technologies
2010-10-27 11:59:37 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-27 11:59:36 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-27 11:59:36 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

==================== Find3M ====================

2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll

============= FINISH: 12:15:57.38 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-10.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 1/8/2009 11:57:30 PM
System Uptime: 11/15/2010 8:14:08 AM (4 hours ago)

Motherboard: Wistron | | 303C
Processor: AMD Athlon Dual-Core QL-62 | Socket A | 1000/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 138 GiB total, 57.442 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 1.827 GiB free.
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Officejet 6000 E609n
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet 6000 E609n
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

Class GUID: {4d36e979-e325-11ce-bfc1-08002be10318}
Description: Officejet 6000 E609n
Device ID: ROOT\PRINTER\0000
Manufacturer: HP
Name: Officejet 6000 E609n
PNP Device ID: ROOT\PRINTER\0000
Service:

==== System Restore Points ===================

==== Installed Programs ======================

32 Bit HP CIO Components Installer
6000E609_eDocs
6000E609_Help
6000E609n
ABBYY FineReader 6.0 Sprint
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 8
Adobe Reader 9.1
Adobe Shockwave Player
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft MediaImpression
Atheros Driver Installation Program
Bing Maps 3D
Bonjour
BPDSoftware
BPDSoftware_Ini
BufferChm
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CyberLink DVD Suite
DeviceDiscovery
Epson Copy Utility 3.4
Epson Event Manager
EPSON Perfection V300 Photo Scanner Driver Update
EPSON Scan
ESU for Microsoft Vista
GO! Res
GoToMeeting 4.0.0.320
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.7
HP Help and Support
HP Imaging Device Functions 12.0
HP Officejet 6000 E609 Series
HP Photosmart Essential 3.5
HP Quick Launch Buttons 6.40 H2
HP Smart Web Printing
HP Total Care Advisor
HP Update
HP User Guides 0118
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HPTCSSetup
iTunes
Java(TM) 6 Update 17
Juno Preloader
LabelPrint
LanUpdate
Lexmark X5400 Series
LightScribe System Software 1.14.17.1
Malwarebytes' Anti-Malware
Micrografx Windows Draw 6 LE
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Live Search Toolbar
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Works
Microsoft XML Parser
Move Media Player
MP3 Rocket
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee Reveal
My HP Games
Netgear Update Assistant
NetWaiting
Network
Norton Internet Security
NVIDIA Drivers
OGA Notifier 2.0.0048.0
PANTECH UM175 Driver
Picasa 3
Power2Go
PowerDirector
ProductContext
PVSonyDll
QuickTime
Realtek USB 2.0 Card Reader
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Serif DrawPlus 4.0
Serif PagePlus 10.0 Resource CD-ROM
Serif PagePlus 9.0
Skype™ 3.8
SmartClient Core
SmartClient Installation Manager
SmartWebPrinting
Spelling Dictionaries Support For Adobe Reader 9
SPORE Creature Creator Trial Edition
Status
Synaptics Pointing Device Driver
Toolbox
TrayApp
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VZAccess Manager
WebReg
Windows Live ID Sign-in Assistant
Worldspan API

==== End Of File ===========================

Bobbye · Nov 15, 2010

Welcome to TechSpot! You do have an assortment of malware- I'll help you with it.

What you need to know about a Backdoor.bot:
What is a Backdoor.bot?

This is a piece of malware that has worm, downloader, backdoor, keylogger and spy ability. It may arrive on a system after being exploited by a copy of the worm, residing on an infected machine in the network. After execution, the malware will inject a piece of code in kernel mode (by gaining access to \Device\PhysicalMemory). It will make a copy of itself inside c:\windows\fonts\unwise_.exe (hidden), execute it and continue execution there. The original file it will then be deleted. The worm will register itself as a service under the name: Windows Hosts Controller, and setting the information to "Enables Windows Host Controller Service. This service cannot be stopped." discouraging users from deleting it.
- The worm has the ability to spread via:
o USB drives; when it detects a new drive, it will make a fresh copy of itself, on the USB drive in the following directory:
Recycler\S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx\file-name.exe. It will also create an autorun.inf file that will point to the new copy.

And yes- it makes Registry changes to the firewall, the Security Center. It can do or cause:

Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)

Data theft (e.g. retrieving passwords or credit card information)

Installation of software, including third-party malware

Downloading or uploading of files on the user's computer

Modification or deletion of files

Keystroke logging

Watching the user's screen

Wasting the computer's storage space

Crashing the computer

Being advised of this, would you rather consider a reformat/reinstall instead of an attempt to clean which may not find or remove all if it's code?

Let's run an online antivirus scan and see what it finds:

Run Eset NOD32 Online AntiVirus scan HERE

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the Active X control to install

Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.

Click Start

Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

Click Scan

Wait for the scan to finish

Re-enable your Antivirus software.

A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

wildbilliii · Nov 16, 2010

Thanks Bobbye!!

Here's what we found:

C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp a variant of Win32/Kryptik.GL trojan
C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp Win32/Olmarik.LT virus
D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com a variant of Win32/Kryptik.GL trojan

wildbilliii · Nov 16, 2010

I see why you guys recommend a reformat/reinstall. Is it possible to back up pic's and videos before reformat/reinstall?

Bobbye · Nov 16, 2010

No Sality is showing here. Please repost and include the entire Eset log- not just these entries.

wildbilliii · Nov 16, 2010

That was the extent of the log. I will run it again and try for more.

wildbilliii · Nov 16, 2010

I ran a scan with Avira this morning and then ran the eset and here are the results.

Avira AntiVir Personal
Report file date: Tuesday, November 16, 2010 08:44

Scanning for 3056103 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : SYSTEM
Computer name : STACY-PC

Version information:
BUILD.DAT : 10.0.0.592 31823 Bytes 8/9/2010 11:00:00
AVSCAN.EXE : 10.0.3.1 434344 Bytes 8/2/2010 21:09:56
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 8/2/2010 21:10:00
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 01:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 22:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 17:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 21:10:03
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 21:10:04
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 21:10:06
VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 13:26:39
VBASE009.VDF : 7.10.13.80 2265600 Bytes 11/2/2010 13:26:43
VBASE010.VDF : 7.10.13.81 2048 Bytes 11/2/2010 13:26:43
VBASE011.VDF : 7.10.13.82 2048 Bytes 11/2/2010 13:26:43
VBASE012.VDF : 7.10.13.83 2048 Bytes 11/2/2010 13:26:43
VBASE013.VDF : 7.10.13.116 147968 Bytes 11/4/2010 13:26:44
VBASE014.VDF : 7.10.13.147 146944 Bytes 11/7/2010 13:26:45
VBASE015.VDF : 7.10.13.180 123904 Bytes 11/9/2010 13:26:46
VBASE016.VDF : 7.10.13.211 122368 Bytes 11/11/2010 13:26:46
VBASE017.VDF : 7.10.13.243 147456 Bytes 11/15/2010 13:26:47
VBASE018.VDF : 7.10.13.244 2048 Bytes 11/15/2010 13:26:47
VBASE019.VDF : 7.10.13.245 2048 Bytes 11/15/2010 13:26:47
VBASE020.VDF : 7.10.13.246 2048 Bytes 11/15/2010 13:26:47
VBASE021.VDF : 7.10.13.247 2048 Bytes 11/15/2010 13:26:47
VBASE022.VDF : 7.10.13.248 2048 Bytes 11/15/2010 13:26:47
VBASE023.VDF : 7.10.13.249 2048 Bytes 11/15/2010 13:26:47
VBASE024.VDF : 7.10.13.250 2048 Bytes 11/15/2010 13:26:48
VBASE025.VDF : 7.10.13.251 2048 Bytes 11/15/2010 13:26:48
VBASE026.VDF : 7.10.13.252 2048 Bytes 11/15/2010 13:26:48
VBASE027.VDF : 7.10.13.253 2048 Bytes 11/15/2010 13:26:48
VBASE028.VDF : 7.10.13.254 2048 Bytes 11/15/2010 13:26:48
VBASE029.VDF : 7.10.13.255 2048 Bytes 11/15/2010 13:26:48
VBASE030.VDF : 7.10.14.0 2048 Bytes 11/15/2010 13:26:49
VBASE031.VDF : 7.10.14.10 91136 Bytes 11/16/2010 13:26:49
Engineversion : 8.2.4.98
AEVDF.DLL : 8.1.2.1 106868 Bytes 8/2/2010 21:09:54
AESCRIPT.DLL : 8.1.3.46 1364347 Bytes 11/16/2010 13:26:57
AESCN.DLL : 8.1.6.1 127347 Bytes 8/2/2010 21:09:53
AESBX.DLL : 8.1.3.1 254324 Bytes 8/2/2010 21:09:53
AERDL.DLL : 8.1.9.2 635252 Bytes 11/16/2010 13:26:56
AEPACK.DLL : 8.2.3.11 471416 Bytes 11/16/2010 13:26:56
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/2/2010 21:09:52
AEHEUR.DLL : 8.1.2.41 3043703 Bytes 11/16/2010 13:26:55
AEHELP.DLL : 8.1.14.0 246134 Bytes 11/16/2010 13:26:52
AEGEN.DLL : 8.1.3.24 401781 Bytes 11/16/2010 13:26:50
AEEMU.DLL : 8.1.2.0 393588 Bytes 8/2/2010 21:09:49
AECORE.DLL : 8.1.17.0 196982 Bytes 11/16/2010 13:26:50
AEBB.DLL : 8.1.1.0 53618 Bytes 8/2/2010 21:09:48
AVWINLL.DLL : 10.0.0.0 19304 Bytes 8/2/2010 21:09:56
AVPREF.DLL : 10.0.0.0 44904 Bytes 8/2/2010 21:09:55
AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 20:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 8/2/2010 21:09:55
AVSCPLR.DLL : 10.0.3.1 83816 Bytes 8/2/2010 21:09:56
AVARKT.DLL : 10.0.0.14 227176 Bytes 8/2/2010 21:09:54
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 8/2/2010 21:09:55
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 20:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 8/2/2010 21:09:56
NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 20:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 8/2/2010 21:10:08

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, November 16, 2010 08:44

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'vssvc.exe' - '49' Module(s) have been scanned
Scan process 'avscan.exe' - '77' Module(s) have been scanned
Scan process 'avcenter.exe' - '65' Module(s) have been scanned
Scan process 'avgnt.exe' - '58' Module(s) have been scanned
Scan process 'sched.exe' - '56' Module(s) have been scanned
Scan process 'avshadow.exe' - '33' Module(s) have been scanned
Scan process 'avguard.exe' - '65' Module(s) have been scanned
Scan process 'iexplore.exe' - '154' Module(s) have been scanned
Scan process 'hpswp_clipbook.exe' - '28' Module(s) have been scanned
Scan process 'iexplore.exe' - '144' Module(s) have been scanned
Scan process 'iexplore.exe' - '75' Module(s) have been scanned
Scan process 'hphc_service.exe' - '27' Module(s) have been scanned
Scan process 'SynTPHelper.exe' - '13' Module(s) have been scanned
Scan process 'HpqToaster.exe' - '28' Module(s) have been scanned
Scan process 'iPodService.exe' - '30' Module(s) have been scanned
Scan process 'Com4QLBEx.exe' - '18' Module(s) have been scanned
Scan process 'WiFiMsg.EXE' - '36' Module(s) have been scanned
Scan process 'DllHost.exe' - '52' Module(s) have been scanned
Scan process 'WLIDSvcM.exe' - '16' Module(s) have been scanned
Scan process 'ArcCon.ac' - '62' Module(s) have been scanned
Scan process 'ehmsas.exe' - '26' Module(s) have been scanned
Scan process 'ONENOTEM.EXE' - '18' Module(s) have been scanned
Scan process 'FilterAgent.exe' - '36' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '34' Module(s) have been scanned
Scan process 'Skype.exe' - '106' Module(s) have been scanned
Scan process 'ehtray.exe' - '29' Module(s) have been scanned
Scan process 'ACDaemon.exe' - '45' Module(s) have been scanned
Scan process 'EEventManager.exe' - '31' Module(s) have been scanned
Scan process 'hpqwmiex.exe' - '32' Module(s) have been scanned
Scan process 'jusched.exe' - '22' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '75' Module(s) have been scanned
Scan process 'HPWAMain.exe' - '42' Module(s) have been scanned
Scan process 'QLBCTRL.exe' - '52' Module(s) have been scanned
Scan process 'MSASCui.exe' - '72' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '40' Module(s) have been scanned
Scan process 'svchost.exe' - '46' Module(s) have been scanned
Scan process 'xaudio.exe' - '14' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '64' Module(s) have been scanned
Scan process 'WLIDSVC.EXE' - '52' Module(s) have been scanned
Scan process 'svchost.exe' - '7' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'SCAppMgr.exe' - '63' Module(s) have been scanned
Scan process 'RichVideo.exe' - '19' Module(s) have been scanned
Scan process 'taskeng.exe' - '49' Module(s) have been scanned
Scan process 'BLService.exe' - '25' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '22' Module(s) have been scanned
Scan process 'svchost.exe' - '22' Module(s) have been scanned
Scan process 'lxdvcoms.exe' - '36' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '30' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '31' Module(s) have been scanned
Scan process 'taskeng.exe' - '81' Module(s) have been scanned
Scan process 'ACService.exe' - '24' Module(s) have been scanned
Scan process 'Explorer.EXE' - '132' Module(s) have been scanned
Scan process 'Dwm.exe' - '32' Module(s) have been scanned
Scan process 'WLANExt.exe' - '45' Module(s) have been scanned
Scan process 'svchost.exe' - '58' Module(s) have been scanned
Scan process 'spoolsv.exe' - '94' Module(s) have been scanned
Scan process 'svchost.exe' - '94' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '87' Module(s) have been scanned
Scan process 'SLsvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '151' Module(s) have been scanned
Scan process 'svchost.exe' - '115' Module(s) have been scanned
Scan process 'winlogon.exe' - '30' Module(s) have been scanned
Scan process 'svchost.exe' - '72' Module(s) have been scanned
Scan process 'svchost.exe' - '57' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '25' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'lsm.exe' - '22' Module(s) have been scanned
Scan process 'lsass.exe' - '60' Module(s) have been scanned
Scan process 'services.exe' - '33' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'wininit.exe' - '26' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1845' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\13E62A64-00003EEA.eml
[0] Archive type: MIME
[DETECTION] Is the TR/Spy.ZBot.HNO Trojan
--> Gift_Certificate_131.zip
[1] Archive type: ZIP
--> Gift_Certificate_131.exe
[DETECTION] Is the TR/Spy.ZBot.HNO Trojan
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\23186D38-00003EE4.eml
[0] Archive type: MIME
[DETECTION] Is the TR/Spy.ZBot.HNO Trojan
--> Gift_Certificate_131.zip
[1] Archive type: ZIP
--> Gift_Certificate_131.exe
[DETECTION] Is the TR/Spy.ZBot.HNO Trojan
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\00294823-0000064C.eml
[0] Archive type: MIME
[DETECTION] Is the TR/Agent.APDA Trojan
--> file1.mim
[1] Archive type: MIME
--> UPS_invoice_4794.zip
[2] Archive type: ZIP
--> UPS_invoice_4794.exe
[DETECTION] Is the TR/Agent.APDA Trojan
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\1C2B7AFD-000005F9.eml
[0] Archive type: MIME
[DETECTION] Is the TR/Agent.APDA Trojan
--> UPS_invoice_4794.zip
[1] Archive type: ZIP
--> UPS_invoice_4794.exe
[DETECTION] Is the TR/Agent.APDA Trojan
C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
Begin scan in 'D:\' <RECOVERY>
D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com
[DETECTION] Is the TR/Dropper.Gen Trojan

Beginning disinfection:
D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '49921ed6.qua'.
C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '514131b1.qua'.
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\1C2B7AFD-000005F9.eml
[DETECTION] Is the TR/Agent.APDA Trojan
[NOTE] The file was moved to the quarantine directory under the name '03586b77.qua'.
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\00294823-0000064C.eml
[DETECTION] Is the TR/Agent.APDA Trojan
[NOTE] The file was moved to the quarantine directory under the name '656f24a6.qua'.
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\23186D38-00003EE4.eml
[DETECTION] Is the TR/Spy.ZBot.HNO Trojan
[NOTE] The file was moved to the quarantine directory under the name '20ec099b.qua'.
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\13E62A64-00003EEA.eml
[DETECTION] Is the TR/Spy.ZBot.HNO Trojan
[NOTE] The file was moved to the quarantine directory under the name '5fc33bfa.qua'.

End of the scan: Tuesday, November 16, 2010 12:07
Used time: 2:25:07 Hour(s)

The scan has been done completely.

30178 Scanned directories
630421 Files were scanned
6 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
6 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
630415 Files not concerned
25706 Archives were scanned
0 Warnings
6 Notes
710258 Objects were scanned with rootkit scan
0 Hidden objects were found

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=95afe8dbe67aed48b82a93ef9dfd61ee
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-16 04:14:35
# local_time=2010-11-15 11:14:35 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776573 100 100 0 126477937 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=250549
# found=3
# cleaned=0
# scan_time=10466
C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp a variant of Win32/Kryptik.GL trojan 00000000000000000000000000000000 I
C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp Win32/Olmarik.LT virus 00000000000000000000000000000000 I
D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com a variant of Win32/Kryptik.GL trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=95afe8dbe67aed48b82a93ef9dfd61ee
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-16 08:12:09
# local_time=2010-11-16 03:12:09 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775165 100 94 0 25517381 0 0
# compatibility_mode=5892 16776573 100 100 0 126535160 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=251108
# found=1
# cleaned=0
# scan_time=10697
C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp Win32/Olmarik.LT virus 00000000000000000000000000000000 I

wildbilliii · Nov 16, 2010

Avira AntiVir Personal
Report file date: Tuesday, November 16, 2010 08:44

Scanning for 3056103 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : SYSTEM
Computer name : STACY-PC

Version information:
BUILD.DAT : 10.0.0.592 31823 Bytes 8/9/2010 11:00:00
AVSCAN.EXE : 10.0.3.1 434344 Bytes 8/2/2010 21:09:56
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 8/2/2010 21:10:00
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 01:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 22:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 17:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 21:10:03
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 21:10:04
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 21:10:06
VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 13:26:39
VBASE009.VDF : 7.10.13.80 2265600 Bytes 11/2/2010 13:26:43
VBASE010.VDF : 7.10.13.81 2048 Bytes 11/2/2010 13:26:43
VBASE011.VDF : 7.10.13.82 2048 Bytes 11/2/2010 13:26:43
VBASE012.VDF : 7.10.13.83 2048 Bytes 11/2/2010 13:26:43
VBASE013.VDF : 7.10.13.116 147968 Bytes 11/4/2010 13:26:44
VBASE014.VDF : 7.10.13.147 146944 Bytes 11/7/2010 13:26:45
VBASE015.VDF : 7.10.13.180 123904 Bytes 11/9/2010 13:26:46
VBASE016.VDF : 7.10.13.211 122368 Bytes 11/11/2010 13:26:46
VBASE017.VDF : 7.10.13.243 147456 Bytes 11/15/2010 13:26:47
VBASE018.VDF : 7.10.13.244 2048 Bytes 11/15/2010 13:26:47
VBASE019.VDF : 7.10.13.245 2048 Bytes 11/15/2010 13:26:47
VBASE020.VDF : 7.10.13.246 2048 Bytes 11/15/2010 13:26:47
VBASE021.VDF : 7.10.13.247 2048 Bytes 11/15/2010 13:26:47
VBASE022.VDF : 7.10.13.248 2048 Bytes 11/15/2010 13:26:47
VBASE023.VDF : 7.10.13.249 2048 Bytes 11/15/2010 13:26:47
VBASE024.VDF : 7.10.13.250 2048 Bytes 11/15/2010 13:26:48
VBASE025.VDF : 7.10.13.251 2048 Bytes 11/15/2010 13:26:48
VBASE026.VDF : 7.10.13.252 2048 Bytes 11/15/2010 13:26:48
VBASE027.VDF : 7.10.13.253 2048 Bytes 11/15/2010 13:26:48
VBASE028.VDF : 7.10.13.254 2048 Bytes 11/15/2010 13:26:48
VBASE029.VDF : 7.10.13.255 2048 Bytes 11/15/2010 13:26:48
VBASE030.VDF : 7.10.14.0 2048 Bytes 11/15/2010 13:26:49
VBASE031.VDF : 7.10.14.10 91136 Bytes 11/16/2010 13:26:49
Engineversion : 8.2.4.98
AEVDF.DLL : 8.1.2.1 106868 Bytes 8/2/2010 21:09:54
AESCRIPT.DLL : 8.1.3.46 1364347 Bytes 11/16/2010 13:26:57
AESCN.DLL : 8.1.6.1 127347 Bytes 8/2/2010 21:09:53
AESBX.DLL : 8.1.3.1 254324 Bytes 8/2/2010 21:09:53
AERDL.DLL : 8.1.9.2 635252 Bytes 11/16/2010 13:26:56
AEPACK.DLL : 8.2.3.11 471416 Bytes 11/16/2010 13:26:56
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/2/2010 21:09:52
AEHEUR.DLL : 8.1.2.41 3043703 Bytes 11/16/2010 13:26:55
AEHELP.DLL : 8.1.14.0 246134 Bytes 11/16/2010 13:26:52
AEGEN.DLL : 8.1.3.24 401781 Bytes 11/16/2010 13:26:50
AEEMU.DLL : 8.1.2.0 393588 Bytes 8/2/2010 21:09:49
AECORE.DLL : 8.1.17.0 196982 Bytes 11/16/2010 13:26:50
AEBB.DLL : 8.1.1.0 53618 Bytes 8/2/2010 21:09:48
AVWINLL.DLL : 10.0.0.0 19304 Bytes 8/2/2010 21:09:56
AVPREF.DLL : 10.0.0.0 44904 Bytes 8/2/2010 21:09:55
AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 20:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 8/2/2010 21:09:55
AVSCPLR.DLL : 10.0.3.1 83816 Bytes 8/2/2010 21:09:56
AVARKT.DLL : 10.0.0.14 227176 Bytes 8/2/2010 21:09:54
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 8/2/2010 21:09:55
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 20:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 8/2/2010 21:09:56
NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 20:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 8/2/2010 21:10:08

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, November 16, 2010 08:44

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'vssvc.exe' - '49' Module(s) have been scanned
Scan process 'avscan.exe' - '77' Module(s) have been scanned
Scan process 'avcenter.exe' - '65' Module(s) have been scanned
Scan process 'avgnt.exe' - '58' Module(s) have been scanned
Scan process 'sched.exe' - '56' Module(s) have been scanned
Scan process 'avshadow.exe' - '33' Module(s) have been scanned
Scan process 'avguard.exe' - '65' Module(s) have been scanned
Scan process 'iexplore.exe' - '154' Module(s) have been scanned
Scan process 'hpswp_clipbook.exe' - '28' Module(s) have been scanned
Scan process 'iexplore.exe' - '144' Module(s) have been scanned
Scan process 'iexplore.exe' - '75' Module(s) have been scanned
Scan process 'hphc_service.exe' - '27' Module(s) have been scanned
Scan process 'SynTPHelper.exe' - '13' Module(s) have been scanned
Scan process 'HpqToaster.exe' - '28' Module(s) have been scanned
Scan process 'iPodService.exe' - '30' Module(s) have been scanned
Scan process 'Com4QLBEx.exe' - '18' Module(s) have been scanned
Scan process 'WiFiMsg.EXE' - '36' Module(s) have been scanned
Scan process 'DllHost.exe' - '52' Module(s) have been scanned
Scan process 'WLIDSvcM.exe' - '16' Module(s) have been scanned
Scan process 'ArcCon.ac' - '62' Module(s) have been scanned
Scan process 'ehmsas.exe' - '26' Module(s) have been scanned
Scan process 'ONENOTEM.EXE' - '18' Module(s) have been scanned
Scan process 'FilterAgent.exe' - '36' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '34' Module(s) have been scanned
Scan process 'Skype.exe' - '106' Module(s) have been scanned
Scan process 'ehtray.exe' - '29' Module(s) have been scanned
Scan process 'ACDaemon.exe' - '45' Module(s) have been scanned
Scan process 'EEventManager.exe' - '31' Module(s) have been scanned
Scan process 'hpqwmiex.exe' - '32' Module(s) have been scanned
Scan process 'jusched.exe' - '22' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '75' Module(s) have been scanned
Scan process 'HPWAMain.exe' - '42' Module(s) have been scanned
Scan process 'QLBCTRL.exe' - '52' Module(s) have been scanned
Scan process 'MSASCui.exe' - '72' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '40' Module(s) have been scanned
Scan process 'svchost.exe' - '46' Module(s) have been scanned
Scan process 'xaudio.exe' - '14' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '64' Module(s) have been scanned
Scan process 'WLIDSVC.EXE' - '52' Module(s) have been scanned
Scan process 'svchost.exe' - '7' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'SCAppMgr.exe' - '63' Module(s) have been scanned
Scan process 'RichVideo.exe' - '19' Module(s) have been scanned
Scan process 'taskeng.exe' - '49' Module(s) have been scanned
Scan process 'BLService.exe' - '25' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '22' Module(s) have been scanned
Scan process 'svchost.exe' - '22' Module(s) have been scanned
Scan process 'lxdvcoms.exe' - '36' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '30' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '31' Module(s) have been scanned
Scan process 'taskeng.exe' - '81' Module(s) have been scanned
Scan process 'ACService.exe' - '24' Module(s) have been scanned
Scan process 'Explorer.EXE' - '132' Module(s) have been scanned
Scan process 'Dwm.exe' - '32' Module(s) have been scanned
Scan process 'WLANExt.exe' - '45' Module(s) have been scanned
Scan process 'svchost.exe' - '58' Module(s) have been scanned
Scan process 'spoolsv.exe' - '94' Module(s) have been scanned
Scan process 'svchost.exe' - '94' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '87' Module(s) have been scanned
Scan process 'SLsvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '151' Module(s) have been scanned
Scan process 'svchost.exe' - '115' Module(s) have been scanned
Scan process 'winlogon.exe' - '30' Module(s) have been scanned
Scan process 'svchost.exe' - '72' Module(s) have been scanned
Scan process 'svchost.exe' - '57' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '25' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'lsm.exe' - '22' Module(s) have been scanned
Scan process 'lsass.exe' - '60' Module(s) have been scanned
Scan process 'services.exe' - '33' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'wininit.exe' - '26' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1845' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\13E62A64-00003EEA.eml
[0] Archive type: MIME
[DETECTION] Is the TR/Spy.ZBot.HNO Trojan
--> Gift_Certificate_131.zip
[1] Archive type: ZIP
--> Gift_Certificate_131.exe
[DETECTION] Is the TR/Spy.ZBot.HNO Trojan
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\23186D38-00003EE4.eml
[0] Archive type: MIME
[DETECTION] Is the TR/Spy.ZBot.HNO Trojan
--> Gift_Certificate_131.zip
[1] Archive type: ZIP
--> Gift_Certificate_131.exe
[DETECTION] Is the TR/Spy.ZBot.HNO Trojan
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\00294823-0000064C.eml
[0] Archive type: MIME
[DETECTION] Is the TR/Agent.APDA Trojan
--> file1.mim
[1] Archive type: MIME
--> UPS_invoice_4794.zip
[2] Archive type: ZIP
--> UPS_invoice_4794.exe
[DETECTION] Is the TR/Agent.APDA Trojan
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\1C2B7AFD-000005F9.eml
[0] Archive type: MIME
[DETECTION] Is the TR/Agent.APDA Trojan
--> UPS_invoice_4794.zip
[1] Archive type: ZIP
--> UPS_invoice_4794.exe
[DETECTION] Is the TR/Agent.APDA Trojan
C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
Begin scan in 'D:\' <RECOVERY>
D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com
[DETECTION] Is the TR/Dropper.Gen Trojan

Beginning disinfection:
D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '49921ed6.qua'.
C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '514131b1.qua'.
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\1C2B7AFD-000005F9.eml
[DETECTION] Is the TR/Agent.APDA Trojan
[NOTE] The file was moved to the quarantine directory under the name '03586b77.qua'.
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\00294823-0000064C.eml
[DETECTION] Is the TR/Agent.APDA Trojan
[NOTE] The file was moved to the quarantine directory under the name '656f24a6.qua'.
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\23186D38-00003EE4.eml
[DETECTION] Is the TR/Spy.ZBot.HNO Trojan
[NOTE] The file was moved to the quarantine directory under the name '20ec099b.qua'.
C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\13E62A64-00003EEA.eml
[DETECTION] Is the TR/Spy.ZBot.HNO Trojan
[NOTE] The file was moved to the quarantine directory under the name '5fc33bfa.qua'.

End of the scan: Tuesday, November 16, 2010 12:07
Used time: 2:25:07 Hour(s)

The scan has been done completely.

30178 Scanned directories
630421 Files were scanned
6 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
6 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
630415 Files not concerned
25706 Archives were scanned
0 Warnings
6 Notes
710258 Objects were scanned with rootkit scan
0 Hidden objects were found

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=95afe8dbe67aed48b82a93ef9dfd61ee
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-16 04:14:35
# local_time=2010-11-15 11:14:35 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776573 100 100 0 126477937 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=250549
# found=3
# cleaned=0
# scan_time=10466
C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp a variant of Win32/Kryptik.GL trojan 00000000000000000000000000000000 I
C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp Win32/Olmarik.LT virus 00000000000000000000000000000000 I
D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com a variant of Win32/Kryptik.GL trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=95afe8dbe67aed48b82a93ef9dfd61ee
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-16 08:12:09
# local_time=2010-11-16 03:12:09 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775165 100 94 0 25517381 0 0
# compatibility_mode=5892 16776573 100 100 0 126535160 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=251108
# found=1
# cleaned=0
# scan_time=10697
C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp Win32/Olmarik.LT virus 00000000000000000000000000000000 I

Bobbye · Nov 16, 2010

The second submission of the Eset log is the full log- did you note the difference?

Please download OTMovit by Old Timer and save to your desktop.
Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Processes	

:Files 
C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.

Click the red Moveit! button.

A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===================================================
For this: D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com a variant of Win32/Kryptik.GL trojan
The Recycler is a hidden system folder. Although the programs may say 'deleted' or 'quarantined', there is a special way to remove an entry. The Recycler is where the Recycle Bin puts the files and folders that are deleted.To remove the infected files, 2 steps must be done first:
1. The Recycle Bin must be empty so be sure to do that right before bringing up the Recycler.
2. Show Hidden Folders/Files using Windows Explorer
Open Windows Explorer: Windows key + E>

Open My Computer.

Go to Tools > Folder Options.

Select the View tab.

Scroll down to Hidden files and folders.

Select Show hidden files and folders.

Uncheck (untick) Hide extensions of known file types.

Uncheck (untick) Hide protected operating system files (Recommended).

Click Yes when prompted.

Click OK.

With Windows Explorer still open, scroll down to the Recycler on the left and double click on it to open.

Look on the right screen for the SID S-4-2-38-100014665-100025770-100003339-9018

Do a right click> Delete on the numerical string.

Close Windows Explorer

Reset Hidden/System Files & Folders
===============================================
Please download ComboFix from Here and save to your Desktop.

[1]. Do NOT rename Combofix unless instructed.
[2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3].Close any open browsers.
[4]. Double click combofix.exe & follow the prompts to run.

NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
[5]. If Combofix asks you to install Recovery Console, please allow it.
[6]. If Combofix asks you to update the program, always allow.

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
==================================
Please don't run any scans unless I request them.

wildbilliii · Nov 16, 2010

All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Stacy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 10235764 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 957 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 128620 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 69264 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 10.00 mb

OTM by OldTimer - Version 3.1.17.2 log created on 11162010_192410

Files moved on Reboot...

Registry entries deleted on Reboot...

ComboFix 10-11-16.02 - Stacy 11/16/2010 19:45:19.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.1020 [GMT -5:00]
Running from: c:\users\Stacy\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Stacy\g2mdlhlpx.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 )))))))))))))))))))))))))))))))
.

2010-11-17 00:57 . 2010-11-17 00:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-17 00:24 . 2010-11-17 00:24 -------- d-----w- C:\_OTM
2010-11-16 17:12 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B7BC6D6D-13D3-4314-BDCE-071C6568FA94}\mpengine.dll
2010-11-16 13:42 . 2010-11-16 13:42 -------- d-----w- c:\users\Stacy\AppData\Roaming\Avira
2010-11-16 13:25 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-16 13:25 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-16 13:25 . 2010-11-16 13:25 -------- d-----w- c:\programdata\Avira
2010-11-16 13:25 . 2010-11-16 13:25 -------- d-----w- c:\program files\Avira
2010-11-16 11:33 . 2010-11-16 11:33 -------- d-----w- c:\users\Stacy\AppData\Roaming\AVG10
2010-11-16 11:31 . 2010-11-16 11:31 -------- d--h--w- c:\programdata\Common Files
2010-11-16 11:30 . 2010-11-16 12:28 -------- d-----w- c:\programdata\AVG10
2010-11-16 11:28 . 2010-11-16 11:28 -------- d-----w- c:\program files\AVG
2010-11-16 11:25 . 2010-11-16 11:28 -------- d-----w- c:\programdata\MFAData
2010-11-16 01:16 . 2010-11-16 01:16 -------- d-----w- c:\program files\ESET
2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\users\Stacy\AppData\Roaming\SUPERAntiSpyware.com
2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-09 19:25 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-08 03:09 . 2010-11-08 03:09 -------- d-----w- c:\windows\system32\20-20 Technologies
2010-10-27 11:59 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-27 11:59 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 11:59 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 15:41 . 2009-10-02 15:58 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56 . 2010-10-14 14:12 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-14 14:11 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 14:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 14:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 14:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-14 14:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-14 14:11 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 14:11 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 14:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-14 14:12 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-14 14:12 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-14 14:12 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-14 14:12 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-14 14:12 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-14 14:11 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-14 14:11 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-14 14:11 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-14 14:11 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37 . 2010-10-14 14:11 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33 . 2010-10-27 11:59 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33 . 2010-10-27 11:59 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33 . 2010-10-27 11:59 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-26 16:33 . 2010-10-27 11:59 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-20 16:05 . 2010-10-14 14:11 867328 ----a-w- c:\windows\system32\wmpmde.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21634344]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

c:\users\Stacy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
Worldspan Filter Agent.lnk - c:\wspan\swgw\FilterAgent.exe [2009-2-28 127044]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanUpdate]
2008-05-02 20:39 77824 ------w- c:\program files\Netgear Update Assistant\LANUpdate.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [2007-10-18 98984]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-08-11 33024]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-08-11 41344]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-08-11 39936]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-08-11 59904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-08-02 135336]
S2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe [2007-10-18 594600]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 SCAppMgr;Smart Client App Manager;c:\program files\Ellie Mae\SCAppMgr\SCAppMgr.exe [2010-04-20 65536]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-06-27 66080]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-17 c:\windows\Tasks\User_Feed_Synchronization-{867F16FA-928E-4639-845D-74FAB36F9873}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: worldspan.com
Trusted Zone: wspan.com
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-16 19:57
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-11-16 20:03:38
ComboFix-quarantined-files.txt 2010-11-17 01:03

Pre-Run: 62,567,206,912 bytes free
Post-Run: 62,775,189,504 bytes free

- - End Of File - - 49A59A4CCDD5253E41C15DD4105356C0

Bobbye · Nov 16, 2010

You have processes for both Avira and AVG10 running. Please uninstall one of them. How is it that neither shows in the list of your installed programs?
2010-11-16 11:28 -------- d-----w- c:\program files\AVG
2010-11-16 13:25 -------- d-----w- c:\program files\Avira

And the Combofix header shows:
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
But there is no reference to either one of these AV programs being disabled for the scan.
=========================================
Download Security Check and save it to your Desktop.

Double-click SecurityCheck.exe to run.

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post this log in your next reply.

=======================================
Please run this Custom CFScript

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::

DDS::
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50370
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateLBPShortCut"=-
"UpdatePSTShortCut"=-
"UpdateP2GoShortCut"=-
"UpdatePDIRShortCut"=-

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.

wildbilliii · Nov 17, 2010

I had uninstalled AVG in favor of Avira, not sure how to further the uninstall of AVG to stop the processes. Don't have an answer for why they don't show in installed programs.

Proceding with other instructions now.

wildbilliii · Nov 17, 2010

Thanks for your help with all this Bobbye!!

Results of screen317's Security Check version 0.99.5
Windows Vista Service Pack 2 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 17
Out of date Java installed!
Adobe Flash Player
Adobe Reader 8
Adobe Reader 9.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSASCui.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Windows Defender MSASCui.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

ComboFix 10-11-16.05 - Stacy 11/17/2010 8:31.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.841 [GMT -5:00]
Running from: c:\users\Stacy\Desktop\ComboFix.exe
Command switches used :: c:\users\Stacy\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Stacy\AppData\Local\Temp\ppcrlui_4604_2

.
((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 )))))))))))))))))))))))))))))))
.

2010-11-17 13:43 . 2010-11-17 13:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-17 00:24 . 2010-11-17 00:24 -------- d-----w- C:\_OTM
2010-11-16 17:12 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B7BC6D6D-13D3-4314-BDCE-071C6568FA94}\mpengine.dll
2010-11-16 13:42 . 2010-11-16 13:42 -------- d-----w- c:\users\Stacy\AppData\Roaming\Avira
2010-11-16 13:25 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-16 13:25 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-16 13:25 . 2010-11-16 13:25 -------- d-----w- c:\programdata\Avira
2010-11-16 13:25 . 2010-11-16 13:25 -------- d-----w- c:\program files\Avira
2010-11-16 11:33 . 2010-11-16 11:33 -------- d-----w- c:\users\Stacy\AppData\Roaming\AVG10
2010-11-16 11:31 . 2010-11-16 11:31 -------- d--h--w- c:\programdata\Common Files
2010-11-16 11:30 . 2010-11-16 12:28 -------- d-----w- c:\programdata\AVG10
2010-11-16 11:28 . 2010-11-16 11:28 -------- d-----w- c:\program files\AVG
2010-11-16 11:25 . 2010-11-16 11:28 -------- d-----w- c:\programdata\MFAData
2010-11-16 01:16 . 2010-11-16 01:16 -------- d-----w- c:\program files\ESET
2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\users\Stacy\AppData\Roaming\SUPERAntiSpyware.com
2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-09 19:25 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-08 03:09 . 2010-11-08 03:09 -------- d-----w- c:\windows\system32\20-20 Technologies
2010-10-27 11:59 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-27 11:59 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 11:59 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 15:41 . 2009-10-02 15:58 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56 . 2010-10-14 14:12 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-14 14:11 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 14:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 14:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 14:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-14 14:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-14 14:11 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 14:11 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 14:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-14 14:12 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-14 14:12 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-14 14:12 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-14 14:12 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-14 14:12 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-14 14:11 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-14 14:11 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-14 14:11 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-14 14:11 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37 . 2010-10-14 14:11 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33 . 2010-10-27 11:59 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33 . 2010-10-27 11:59 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33 . 2010-10-27 11:59 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-26 16:33 . 2010-10-27 11:59 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-20 16:05 . 2010-10-14 14:11 867328 ----a-w- c:\windows\system32\wmpmde.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21634344]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

c:\users\Stacy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
Worldspan Filter Agent.lnk - c:\wspan\swgw\FilterAgent.exe [2009-2-28 127044]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanUpdate]
2008-05-02 20:39 77824 ------w- c:\program files\Netgear Update Assistant\LANUpdate.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [2007-10-18 98984]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-08-11 33024]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-08-11 41344]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-08-11 39936]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-08-11 59904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-08-02 135336]
S2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe [2007-10-18 594600]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 SCAppMgr;Smart Client App Manager;c:\program files\Ellie Mae\SCAppMgr\SCAppMgr.exe [2010-04-20 65536]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-06-27 66080]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-17 c:\windows\Tasks\User_Feed_Synchronization-{867F16FA-928E-4639-845D-74FAB36F9873}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: worldspan.com
Trusted Zone: wspan.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-17 08:43
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP000000BD7CE03C18CB20D20C 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-11-17 08:47:39
ComboFix-quarantined-files.txt 2010-11-17 13:47
ComboFix2.txt 2010-11-17 01:03

Pre-Run: 62,726,090,752 bytes free
Post-Run: 62,718,414,848 bytes free

- - End Of File - - 9EF48E7063BA1B6F06A8C9DB339303A0

Bobbye · Nov 17, 2010

Removal tools for programs you don't want to keep:
Norton Removal Tool
AVG Removal: Note: You may have to reinstall AVG to uninstall it fully

Windows Firewall Disabled!>> Enable if you uninstall Norton
Avira AntiVir Personal - Free Antivirus>> 1 antivirus
ESET Online Scanner v3>> 2 antivirus
Norton Internet Security> 3 antivirus

You are also still running AVG10.>> 4 antivirus The Security Check didn't pick it up.>. uninstall

Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware>> Keep if paid. Or will remove at end if it's our free scan.
Java(TM) 6 Update 17>> uninstall, outdated. Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
Adobe Flash Player>> uninstall. Update to Adobe Flash Player 10.1.102.64> http://get.adobe.com/flashplayer/
Adobe Reader 8>> uninstall, outdated.
Adobe Reader 9.1

RULE: One antivirus, one firewall. Remove others.
Update as indicated.

Handle these please while I check Combofix.

wildbilliii · Nov 17, 2010

Windows firewall>On
Nortons>uninstalled
AVG>uninstalled
ESET>uninstalled
Java>v6.22
Flashplayer>uninstalled and updated
Adobe Reader 8>uninstalled

One Antivirus: Avira
One Firewall: Windows Firewall

I did not install AVG to uninstall it, just ran the AVG removal. They required an uninstall of Avira to install the AVG.

Bobbye · Nov 17, 2010

Please run this Custom CFScript

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\windows\TEMP\TMP000000BD7CE03C18CB20D20C
Folder::
c:\users\Stacy\AppData\Roaming\AVG10
c:\programdata\Common Files
c:\programdata\AVG10
c:\program files\AVG
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Download the HijackThis Installer and save to the desktop:

Double-click on HJTInstall.exe to run the program.

By default it will install to C:\Program Files\Trend Micro\HijackThis.

Accept the license agreement by clicking the "I Accept" button.

Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.

Click "Save log" to save the log file and then the log will open in notepad.

Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

wildbilliii · Nov 19, 2010

okie Dokey here we go...

ComboFix 10-11-18.04 - Stacy 11/19/2010 9:22.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.1012 [GMT -5:00]
Running from: c:\users\Stacy\Desktop\ComboFix.exe
Command switches used :: c:\users\Stacy\Desktop\cfscript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\TEMP\TMP000000BD7CE03C18CB20D20C"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AVG
c:\program files\AVG\AVG10\avgfree_zh.mht
c:\program files\AVG\AVG10\avgfree_zt.mht
c:\program files\AVG\AVG10\Notification\avgxobni_installerxTE.exe
c:\program files\AVG\AVG10\Notification\XobniMiniAVGSetup.exe
c:\programdata\AVG10
c:\programdata\AVG10\Cfg\admin.cfg
c:\programdata\AVG10\Cfg\changecfgreg.cfg
c:\programdata\AVG10\Cfg\csl.cfg
c:\programdata\AVG10\Cfg\emssrv.cfg
c:\programdata\AVG10\Cfg\erd.cfg
c:\programdata\AVG10\Cfg\idp.cfg
c:\programdata\AVG10\Cfg\krnl.cfg
c:\programdata\AVG10\Cfg\mail.cfg
c:\programdata\AVG10\Cfg\mailsrv.cfg
c:\programdata\AVG10\Cfg\mailsrvvsapi.cfg
c:\programdata\AVG10\Cfg\malrep.cfg
c:\programdata\AVG10\Cfg\scan.cfg
c:\programdata\AVG10\Cfg\sched.cfg
c:\programdata\AVG10\Cfg\setup.cfg
c:\programdata\AVG10\Cfg\spsrv.cfg
c:\programdata\AVG10\Cfg\update.cfg
c:\programdata\AVG10\Cfg\updatecomps.cfg
c:\programdata\AVG10\Cfg\user.cfg
c:\programdata\AVG10\cfgall\falsealarm.cfg
c:\programdata\AVG10\cfgall\krnlall.cfg
c:\programdata\AVG10\cfgall\updateall.cfg
c:\programdata\AVG10\cfgall\userall.cfg
c:\programdata\AVG10\log\avgcfg.log
c:\programdata\AVG10\log\avgcfg.log.lock
c:\programdata\AVG10\log\avgchjw.log
c:\programdata\AVG10\log\avgchjw.log.lock
c:\programdata\AVG10\log\avgchjwsrv.log
c:\programdata\AVG10\log\avgchjwsrv.log.lock
c:\programdata\AVG10\log\avgcore.log
c:\programdata\AVG10\log\avgcore.log.lock
c:\programdata\AVG10\log\avgcsl.log
c:\programdata\AVG10\log\avgcsl.log.lock
c:\programdata\AVG10\log\avgemc.log
c:\programdata\AVG10\log\avgemc.log.lock
c:\programdata\AVG10\log\avgexc.log
c:\programdata\AVG10\log\avgexc.log.lock
c:\programdata\AVG10\log\avgldr.log
c:\programdata\AVG10\log\avgldr.log.lock
c:\programdata\AVG10\log\avglng.log
c:\programdata\AVG10\log\avglng.log.lock
c:\programdata\AVG10\log\avgns.log
c:\programdata\AVG10\log\avgns.log.lock
c:\programdata\AVG10\log\avgpostinst.log
c:\programdata\AVG10\log\avgpostinst.log.lock
c:\programdata\AVG10\log\avgrs.log
c:\programdata\AVG10\log\avgrs.log.lock
c:\programdata\AVG10\log\avgscan.log
c:\programdata\AVG10\log\avgscan.log.lock
c:\programdata\AVG10\log\avgsched.log
c:\programdata\AVG10\log\avgsched.log.lock
c:\programdata\AVG10\log\avgsrm.log
c:\programdata\AVG10\log\avgsrm.log.lock
c:\programdata\AVG10\log\avgtdi.log
c:\programdata\AVG10\log\avgtdi.log.lock
c:\programdata\AVG10\log\avgual.log
c:\programdata\AVG10\log\avgual.log.lock
c:\programdata\AVG10\log\avgui.log
c:\programdata\AVG10\log\avgui.log.lock
c:\programdata\AVG10\log\avgupd.log
c:\programdata\AVG10\log\avgupd.log.lock
c:\programdata\AVG10\log\avgwd.log
c:\programdata\AVG10\log\avgwd.log.lock
c:\programdata\AVG10\log\avgwdsvc.log
c:\programdata\AVG10\log\avgwdsvc.log.lock
c:\programdata\AVG10\log\avgxobniinstaller.log
c:\programdata\AVG10\log\commonpriv.log
c:\programdata\AVG10\log\commonpriv.log.lock
c:\programdata\AVG10\log\fixcfg.log
c:\programdata\AVG10\log\fixcfg.log.lock
c:\programdata\AVG10\log\history.xml
c:\programdata\AVG10\log\vault.log
c:\programdata\AVG10\log\vault.log.lock
c:\programdata\AVG10\scanlogs\I_00000001.log
c:\programdata\AVG10\scanlogs\I_00000005.log
c:\programdata\AVG10\scanlogs\I_00000006.log
c:\programdata\AVG10\scanlogs\I_00000007.log
c:\programdata\AVG10\scanlogs\I_00000008.log
c:\programdata\AVG10\scanlogs\I_00000009.log
c:\programdata\AVG10\scanlogs\I_00000010.log
c:\programdata\AVG10\scanlogs\I_00000011.log
c:\programdata\AVG10\scanlogs\I_00000012.log
c:\programdata\AVG10\scanlogs\I_00000013.log
c:\programdata\AVG10\scanlogs\I_00000014.log
c:\programdata\AVG10\scanlogs\I_00000015.log
c:\programdata\AVG10\scanlogs\I_00000016.log
c:\programdata\AVG10\scanlogs\srm.idx
c:\programdata\Common Files
c:\programdata\Common Files\9D37C3F1-C0F8-23F3-3AA7-27D37C423B51.dat
c:\users\Stacy\AppData\Roaming\AVG10
c:\users\Stacy\AppData\Roaming\AVG10\cfgall\usergui.cfg

.
((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-19 14:34 . 2010-11-19 14:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-19 13:58 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{30A32AB8-9782-4DFF-80DC-C35398950512}\mpengine.dll
2010-11-17 20:11 . 2010-11-17 20:11 -------- d-----w- c:\program files\Common Files\Java
2010-11-17 20:11 . 2010-11-17 20:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-17 00:24 . 2010-11-17 00:24 -------- d-----w- C:\_OTM
2010-11-16 13:42 . 2010-11-16 13:42 -------- d-----w- c:\users\Stacy\AppData\Roaming\Avira
2010-11-16 13:25 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-16 13:25 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-16 13:25 . 2010-11-16 13:25 -------- d-----w- c:\programdata\Avira
2010-11-16 13:25 . 2010-11-16 13:25 -------- d-----w- c:\program files\Avira
2010-11-16 11:25 . 2010-11-16 11:28 -------- d-----w- c:\programdata\MFAData
2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\users\Stacy\AppData\Roaming\SUPERAntiSpyware.com
2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-09 19:25 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-08 03:09 . 2010-11-08 03:09 -------- d-----w- c:\windows\system32\20-20 Technologies
2010-10-27 11:59 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-27 11:59 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 11:59 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 15:41 . 2009-10-02 15:58 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56 . 2010-10-14 14:12 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-14 14:11 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 14:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 14:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 14:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-14 14:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-14 14:11 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 14:11 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 14:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-14 14:12 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-14 14:12 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-14 14:12 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-14 14:12 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-14 14:12 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-14 14:11 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-14 14:11 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-14 14:11 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-14 14:11 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37 . 2010-10-14 14:11 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33 . 2010-10-27 11:59 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33 . 2010-10-27 11:59 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33 . 2010-10-27 11:59 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-26 16:33 . 2010-10-27 11:59 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21634344]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\Stacy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanUpdate]
2008-05-02 20:39 77824 ------w- c:\program files\Netgear Update Assistant\LANUpdate.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [2007-10-18 98984]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-08-11 33024]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-08-11 41344]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-08-11 39936]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-08-11 59904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-08-02 135336]
S2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe [2007-10-18 594600]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 SCAppMgr;Smart Client App Manager;c:\program files\Ellie Mae\SCAppMgr\SCAppMgr.exe [2010-04-20 65536]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-06-27 66080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-19 c:\windows\Tasks\User_Feed_Synchronization-{867F16FA-928E-4639-845D-74FAB36F9873}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: worldspan.com
Trusted Zone: wspan.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-19 09:35
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-11-19 09:39:55
ComboFix-quarantined-files.txt 2010-11-19 14:39
ComboFix2.txt 2010-11-17 13:47
ComboFix3.txt 2010-11-17 01:03

Pre-Run: 62,758,768,640 bytes free
Post-Run: 62,807,601,152 bytes free

- - End Of File - - EE88F335B016E1ADDDCB4B9CA601058F

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:54:10 AM, on 11/19/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\wspan\swgw\FilterAgent.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxdvCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe
O23 - Service: lxdv_device - - C:\Windows\system32\lxdvcoms.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Smart Client App Manager (SCAppMgr) - Ellie Mae, Inc. - C:\Program Files\Ellie Mae\SCAppMgr\SCAppMgr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8585 bytes

Bobbye · Nov 19, 2010

Good job! System clean!
Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.

Double click OTCleanIt.exe.

Click the CleanUp! button.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

Go to Start > All Programs > Accessories > System Tools

Click "System Restore".

Choose "Create a Restore Point" on the first screen then click "Next".

Give the Restore Point a name> click "Create".

Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

If any program we used remain, you can uninstall them in Add/Remove Programs in the Control Panel.

Empty the Recycle Bin
Let me know if you have any more questions.

wildbilliii · Nov 19, 2010

Thank you Bobbye, not only are you a handsome man, but intelligent as well.

You made this very simple. Oh, now my wife just piped in and wants to thank you as well.

Thanks for all your help!! :wave:

Bobbye · Nov 19, 2010

You're welcome to both of you! Here are some tips to help you stay clean- she can use them too:

Tips for added security and safer browsing:
Note: Some of these programs may not work on Windows 7 or a 64 bit OS.

Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.

Have layered Security:

Antivirus Software(only one):Both of the following programs are free and known to be good:
[o]Avira Free
[o]Avast Home

Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
[o]Comodo
[o]Zone Alarm

Antispyware: I recommend all of the following:
[o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.

[o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
[o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
[o]Google Toolbar Get the free google toolbar to help stop pop up windows.

Stay current on updates:
[o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
[o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
[o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Reset Cookies to prevent Tracking Cookies:
[o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
[o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

Do regular Maintenance
Remove Temporary Internet Files regularly:
[o]ATF Cleaner by Atribune
OR
[o]TFC
Disable and Enable System Restore:
[o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Practice Safe Email Handling
[o] Don't open email from anyone you don't know.
[o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
[o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

TechSpot

[Active] Malware.Trace; Backdoor.Bot; Trojan.Shell;Trojan.Agent Found

wildbilliii Newcomer, in training

Bobbye Helper on the Fringe

wildbilliii Newcomer, in training

wildbilliii Newcomer, in training

Bobbye Helper on the Fringe

wildbilliii Newcomer, in training

wildbilliii Newcomer, in training

wildbilliii Newcomer, in training

Bobbye Helper on the Fringe

wildbilliii Newcomer, in training

Bobbye Helper on the Fringe

wildbilliii Newcomer, in training

wildbilliii Newcomer, in training

Bobbye Helper on the Fringe

wildbilliii Newcomer, in training

Bobbye Helper on the Fringe

wildbilliii Newcomer, in training

Bobbye Helper on the Fringe

wildbilliii Newcomer, in training

Bobbye Helper on the Fringe