Malware.Trace; Backdoor.Bot; Trojan.Shell;Trojan.Agent Found

Inactive
By wildbilliii
Nov 15, 2010
Topic Status:
Not open for further replies.
  1. Hello and Thanks up front!!

    IE8 will not connect to any webpages after my wife clicked on a spot last night while surfing the net.

    I have followed your 8 steps and the results are pasted below:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5120

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18975

    11/15/2010 7:49:48 AM
    mbam-log-2010-11-15 (07-49-48).txt

    Scan type: Quick scan
    Objects scanned: 150100
    Time elapsed: 11 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Data: c:\users\stacy\appdata\local\temp\dwm.exe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Users\Stacy\AppData\Roaming\Microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Users\Stacy\AppData\Roaming\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.
    C:\Users\Stacy\AppData\Local\Temp\dwm.exe (Trojan.Agent) -> Quarantined and deleted successfully.

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-11-15 12:14:40
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5 WDC_WD1600BEVT-60ZCT1 rev.13.01A13
    Running: 34svv3lk.exe; Driver: C:\Users\Stacy\AppData\Local\Temp\fglcypog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    DDS (Ver_10-11-10.01) - NTFSx86
    Run by Stacy at 12:15:07.56 on Mon 11/15/2010
    Internet Explorer: 8.0.6001.18975
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.917 [GMT -5:00]

    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\system32\lxdvcoms.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\SMINST\BLService.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Ellie Mae\SCAppMgr\SCAppMgr.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\system32\svchost.exe -k HPService
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Epson Software\Event Manager\EEventManager.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\wspan\swgw\FilterAgent.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Windows\system32\DllHost.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Stacy\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
    mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
    mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
    mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    StartupFolder: c:\users\stacy\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\worlds~1.lnk - c:\wspan\swgw\FilterAgent.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    Trusted Zone: worldspan.com
    Trusted Zone: wspan.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

    ============= SERVICES / DRIVERS ===============

    R2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe -service --> c:\windows\system32\lxdvcoms.exe -service [?]
    R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-25 365952]
    R2 SCAppMgr;Smart Client App Manager;c:\program files\ellie mae\scappmgr\SCAppMgr.exe [2008-7-29 65536]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-25 193840]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-6-26 66080]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdvserv.exe [2007-10-18 98984]
    S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2009-3-15 33024]
    S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2009-3-15 41344]
    S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2009-3-15 39936]
    S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2009-3-15 59904]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== Created Last 30 ================

    2010-11-12 12:41:11 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{a7dd4ae4-c2aa-4d1c-a1bb-9762fbbe2c5b}\mpengine.dll
    2010-11-09 19:25:24 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2010-11-08 03:09:13 -------- d-----w- c:\windows\system32\20-20 Technologies
    2010-10-27 11:59:37 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-27 11:59:36 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-10-27 11:59:36 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

    ==================== Find3M ====================

    2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
    2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
    2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
    2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
    2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll

    ============= FINISH: 12:15:57.38 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-10.01)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/8/2009 11:57:30 PM
    System Uptime: 11/15/2010 8:14:08 AM (4 hours ago)

    Motherboard: Wistron | | 303C
    Processor: AMD Athlon Dual-Core QL-62 | Socket A | 1000/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 138 GiB total, 57.442 GiB free.
    D: is FIXED (NTFS) - 11 GiB total, 1.827 GiB free.
    E: is CDROM ()
    F: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Officejet 6000 E609n
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer: HP
    Name: Officejet 6000 E609n
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:

    Class GUID: {4d36e979-e325-11ce-bfc1-08002be10318}
    Description: Officejet 6000 E609n
    Device ID: ROOT\PRINTER\0000
    Manufacturer: HP
    Name: Officejet 6000 E609n
    PNP Device ID: ROOT\PRINTER\0000
    Service:

    ==== System Restore Points ===================


    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    6000E609_eDocs
    6000E609_Help
    6000E609n
    ABBYY FineReader 6.0 Sprint
    Acrobat.com
    Activation Assistant for the 2007 Microsoft Office suites
    ActiveCheck component for HP Active Support Library
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8
    Adobe Reader 9.1
    Adobe Shockwave Player
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft MediaImpression
    Atheros Driver Installation Program
    Bing Maps 3D
    Bonjour
    BPDSoftware
    BPDSoftware_Ini
    BufferChm
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Compatibility Pack for the 2007 Office system
    Conexant HD Audio
    CyberLink DVD Suite
    DeviceDiscovery
    Epson Copy Utility 3.4
    Epson Event Manager
    EPSON Perfection V300 Photo Scanner Driver Update
    EPSON Scan
    ESU for Microsoft Vista
    GO! Res
    GoToMeeting 4.0.0.320
    HDAUDIO Soft Data Fax Modem with SmartCP
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Customer Experience Enhancements
    HP Doc Viewer
    HP DVD Play 3.7
    HP Help and Support
    HP Imaging Device Functions 12.0
    HP Officejet 6000 E609 Series
    HP Photosmart Essential 3.5
    HP Quick Launch Buttons 6.40 H2
    HP Smart Web Printing
    HP Total Care Advisor
    HP Update
    HP User Guides 0118
    HP Wireless Assistant
    HPAsset component for HP Active Support Library
    HPNetworkAssistant
    HPPhotoSmartDiscLabelContent1
    HPPhotosmartEssential
    HPTCSSetup
    iTunes
    Java(TM) 6 Update 17
    Juno Preloader
    LabelPrint
    LanUpdate
    Lexmark X5400 Series
    LightScribe System Software 1.14.17.1
    Malwarebytes' Anti-Malware
    Micrografx Windows Draw 6 LE
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Live Search Toolbar
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office Live Add-in 1.5
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual J# 2.0 Redistributable Package
    Microsoft Works
    Microsoft XML Parser
    Move Media Player
    MP3 Rocket
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    muvee Reveal
    My HP Games
    Netgear Update Assistant
    NetWaiting
    Network
    Norton Internet Security
    NVIDIA Drivers
    OGA Notifier 2.0.0048.0
    PANTECH UM175 Driver
    Picasa 3
    Power2Go
    PowerDirector
    ProductContext
    PVSonyDll
    QuickTime
    Realtek USB 2.0 Card Reader
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Serif DrawPlus 4.0
    Serif PagePlus 10.0 Resource CD-ROM
    Serif PagePlus 9.0
    Skype™ 3.8
    SmartClient Core
    SmartClient Installation Manager
    SmartWebPrinting
    Spelling Dictionaries Support For Adobe Reader 9
    SPORE Creature Creator Trial Edition
    Status
    Synaptics Pointing Device Driver
    Toolbox
    TrayApp
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VZAccess Manager
    WebReg
    Windows Live ID Sign-in Assistant
    Worldspan API

    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! You do have an assortment of malware- I'll help you with it.

    What you need to know about a Backdoor.bot:
    What is a Backdoor.bot?
    And yes- it makes Registry changes to the firewall, the Security Center. It can do or cause:
    1. Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
    2. Data theft (e.g. retrieving passwords or credit card information)
    3. Installation of software, including third-party malware
    4. Downloading or uploading of files on the user's computer
    5. Modification or deletion of files
    6. Keystroke logging
    7. Watching the user's screen
    8. Wasting the computer's storage space
    9. Crashing the computer

    Being advised of this, would you rather consider a reformat/reinstall instead of an attempt to clean which may not find or remove all if it's code?

    Let's run an online antivirus scan and see what it finds:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  3. wildbilliii

    wildbilliii Newcomer, in training Topic Starter Posts: 17

    Thanks Bobbye!!

    Here's what we found:

    C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp a variant of Win32/Kryptik.GL trojan
    C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp Win32/Olmarik.LT virus
    D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com a variant of Win32/Kryptik.GL trojan
  4. wildbilliii

    wildbilliii Newcomer, in training Topic Starter Posts: 17

    I see why you guys recommend a reformat/reinstall. Is it possible to back up pic's and videos before reformat/reinstall?
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No Sality is showing here. Please repost and include the entire Eset log- not just these entries.
  6. wildbilliii

    wildbilliii Newcomer, in training Topic Starter Posts: 17

    That was the extent of the log. I will run it again and try for more.
  7. wildbilliii

    wildbilliii Newcomer, in training Topic Starter Posts: 17

    I ran a scan with Avira this morning and then ran the eset and here are the results.



    Avira AntiVir Personal
    Report file date: Tuesday, November 16, 2010 08:44

    Scanning for 3056103 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows Vista
    Windows version : (Service Pack 2) [6.0.6002]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : STACY-PC

    Version information:
    BUILD.DAT : 10.0.0.592 31823 Bytes 8/9/2010 11:00:00
    AVSCAN.EXE : 10.0.3.1 434344 Bytes 8/2/2010 21:09:56
    AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04
    LUKE.DLL : 10.0.2.3 104296 Bytes 8/2/2010 21:10:00
    LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36
    VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 01:27:49
    VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:37:42
    VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 22:37:42
    VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 17:29:03
    VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 21:10:03
    VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 21:10:04
    VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 21:10:06
    VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 13:26:39
    VBASE009.VDF : 7.10.13.80 2265600 Bytes 11/2/2010 13:26:43
    VBASE010.VDF : 7.10.13.81 2048 Bytes 11/2/2010 13:26:43
    VBASE011.VDF : 7.10.13.82 2048 Bytes 11/2/2010 13:26:43
    VBASE012.VDF : 7.10.13.83 2048 Bytes 11/2/2010 13:26:43
    VBASE013.VDF : 7.10.13.116 147968 Bytes 11/4/2010 13:26:44
    VBASE014.VDF : 7.10.13.147 146944 Bytes 11/7/2010 13:26:45
    VBASE015.VDF : 7.10.13.180 123904 Bytes 11/9/2010 13:26:46
    VBASE016.VDF : 7.10.13.211 122368 Bytes 11/11/2010 13:26:46
    VBASE017.VDF : 7.10.13.243 147456 Bytes 11/15/2010 13:26:47
    VBASE018.VDF : 7.10.13.244 2048 Bytes 11/15/2010 13:26:47
    VBASE019.VDF : 7.10.13.245 2048 Bytes 11/15/2010 13:26:47
    VBASE020.VDF : 7.10.13.246 2048 Bytes 11/15/2010 13:26:47
    VBASE021.VDF : 7.10.13.247 2048 Bytes 11/15/2010 13:26:47
    VBASE022.VDF : 7.10.13.248 2048 Bytes 11/15/2010 13:26:47
    VBASE023.VDF : 7.10.13.249 2048 Bytes 11/15/2010 13:26:47
    VBASE024.VDF : 7.10.13.250 2048 Bytes 11/15/2010 13:26:48
    VBASE025.VDF : 7.10.13.251 2048 Bytes 11/15/2010 13:26:48
    VBASE026.VDF : 7.10.13.252 2048 Bytes 11/15/2010 13:26:48
    VBASE027.VDF : 7.10.13.253 2048 Bytes 11/15/2010 13:26:48
    VBASE028.VDF : 7.10.13.254 2048 Bytes 11/15/2010 13:26:48
    VBASE029.VDF : 7.10.13.255 2048 Bytes 11/15/2010 13:26:48
    VBASE030.VDF : 7.10.14.0 2048 Bytes 11/15/2010 13:26:49
    VBASE031.VDF : 7.10.14.10 91136 Bytes 11/16/2010 13:26:49
    Engineversion : 8.2.4.98
    AEVDF.DLL : 8.1.2.1 106868 Bytes 8/2/2010 21:09:54
    AESCRIPT.DLL : 8.1.3.46 1364347 Bytes 11/16/2010 13:26:57
    AESCN.DLL : 8.1.6.1 127347 Bytes 8/2/2010 21:09:53
    AESBX.DLL : 8.1.3.1 254324 Bytes 8/2/2010 21:09:53
    AERDL.DLL : 8.1.9.2 635252 Bytes 11/16/2010 13:26:56
    AEPACK.DLL : 8.2.3.11 471416 Bytes 11/16/2010 13:26:56
    AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/2/2010 21:09:52
    AEHEUR.DLL : 8.1.2.41 3043703 Bytes 11/16/2010 13:26:55
    AEHELP.DLL : 8.1.14.0 246134 Bytes 11/16/2010 13:26:52
    AEGEN.DLL : 8.1.3.24 401781 Bytes 11/16/2010 13:26:50
    AEEMU.DLL : 8.1.2.0 393588 Bytes 8/2/2010 21:09:49
    AECORE.DLL : 8.1.17.0 196982 Bytes 11/16/2010 13:26:50
    AEBB.DLL : 8.1.1.0 53618 Bytes 8/2/2010 21:09:48
    AVWINLL.DLL : 10.0.0.0 19304 Bytes 8/2/2010 21:09:56
    AVPREF.DLL : 10.0.0.0 44904 Bytes 8/2/2010 21:09:55
    AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 20:27:13
    AVREG.DLL : 10.0.3.2 53096 Bytes 8/2/2010 21:09:55
    AVSCPLR.DLL : 10.0.3.1 83816 Bytes 8/2/2010 21:09:56
    AVARKT.DLL : 10.0.0.14 227176 Bytes 8/2/2010 21:09:54
    AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 8/2/2010 21:09:55
    SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 20:27:22
    AVSMTP.DLL : 10.0.0.17 63848 Bytes 8/2/2010 21:09:56
    NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 20:27:21
    RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20
    RCTEXT.DLL : 10.0.58.0 97128 Bytes 8/2/2010 21:10:08

    Configuration settings for the scan:
    Jobname.............................: Complete system scan
    Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:, D:,
    Process scan........................: on
    Extended process scan...............: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium

    Start of the scan: Tuesday, November 16, 2010 08:44

    Starting search for hidden objects.

    The scan of running processes will be started
    Scan process 'svchost.exe' - '30' Module(s) have been scanned
    Scan process 'vssvc.exe' - '49' Module(s) have been scanned
    Scan process 'avscan.exe' - '77' Module(s) have been scanned
    Scan process 'avcenter.exe' - '65' Module(s) have been scanned
    Scan process 'avgnt.exe' - '58' Module(s) have been scanned
    Scan process 'sched.exe' - '56' Module(s) have been scanned
    Scan process 'avshadow.exe' - '33' Module(s) have been scanned
    Scan process 'avguard.exe' - '65' Module(s) have been scanned
    Scan process 'iexplore.exe' - '154' Module(s) have been scanned
    Scan process 'hpswp_clipbook.exe' - '28' Module(s) have been scanned
    Scan process 'iexplore.exe' - '144' Module(s) have been scanned
    Scan process 'iexplore.exe' - '75' Module(s) have been scanned
    Scan process 'hphc_service.exe' - '27' Module(s) have been scanned
    Scan process 'SynTPHelper.exe' - '13' Module(s) have been scanned
    Scan process 'HpqToaster.exe' - '28' Module(s) have been scanned
    Scan process 'iPodService.exe' - '30' Module(s) have been scanned
    Scan process 'Com4QLBEx.exe' - '18' Module(s) have been scanned
    Scan process 'WiFiMsg.EXE' - '36' Module(s) have been scanned
    Scan process 'DllHost.exe' - '52' Module(s) have been scanned
    Scan process 'WLIDSvcM.exe' - '16' Module(s) have been scanned
    Scan process 'ArcCon.ac' - '62' Module(s) have been scanned
    Scan process 'ehmsas.exe' - '26' Module(s) have been scanned
    Scan process 'ONENOTEM.EXE' - '18' Module(s) have been scanned
    Scan process 'FilterAgent.exe' - '36' Module(s) have been scanned
    Scan process 'wmiprvse.exe' - '34' Module(s) have been scanned
    Scan process 'Skype.exe' - '106' Module(s) have been scanned
    Scan process 'ehtray.exe' - '29' Module(s) have been scanned
    Scan process 'ACDaemon.exe' - '45' Module(s) have been scanned
    Scan process 'EEventManager.exe' - '31' Module(s) have been scanned
    Scan process 'hpqwmiex.exe' - '32' Module(s) have been scanned
    Scan process 'jusched.exe' - '22' Module(s) have been scanned
    Scan process 'iTunesHelper.exe' - '75' Module(s) have been scanned
    Scan process 'HPWAMain.exe' - '42' Module(s) have been scanned
    Scan process 'QLBCTRL.exe' - '52' Module(s) have been scanned
    Scan process 'MSASCui.exe' - '72' Module(s) have been scanned
    Scan process 'SynTPEnh.exe' - '40' Module(s) have been scanned
    Scan process 'svchost.exe' - '46' Module(s) have been scanned
    Scan process 'xaudio.exe' - '14' Module(s) have been scanned
    Scan process 'SearchIndexer.exe' - '64' Module(s) have been scanned
    Scan process 'WLIDSVC.EXE' - '52' Module(s) have been scanned
    Scan process 'svchost.exe' - '7' Module(s) have been scanned
    Scan process 'svchost.exe' - '44' Module(s) have been scanned
    Scan process 'SCAppMgr.exe' - '63' Module(s) have been scanned
    Scan process 'RichVideo.exe' - '19' Module(s) have been scanned
    Scan process 'taskeng.exe' - '49' Module(s) have been scanned
    Scan process 'BLService.exe' - '25' Module(s) have been scanned
    Scan process 'svchost.exe' - '42' Module(s) have been scanned
    Scan process 'svchost.exe' - '22' Module(s) have been scanned
    Scan process 'svchost.exe' - '22' Module(s) have been scanned
    Scan process 'lxdvcoms.exe' - '36' Module(s) have been scanned
    Scan process 'LSSrvc.exe' - '23' Module(s) have been scanned
    Scan process 'svchost.exe' - '35' Module(s) have been scanned
    Scan process 'mDNSResponder.exe' - '30' Module(s) have been scanned
    Scan process 'AppleMobileDeviceService.exe' - '31' Module(s) have been scanned
    Scan process 'taskeng.exe' - '81' Module(s) have been scanned
    Scan process 'ACService.exe' - '24' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '132' Module(s) have been scanned
    Scan process 'Dwm.exe' - '32' Module(s) have been scanned
    Scan process 'WLANExt.exe' - '45' Module(s) have been scanned
    Scan process 'svchost.exe' - '58' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '94' Module(s) have been scanned
    Scan process 'svchost.exe' - '94' Module(s) have been scanned
    Scan process 'nvvsvc.exe' - '41' Module(s) have been scanned
    Scan process 'svchost.exe' - '87' Module(s) have been scanned
    Scan process 'SLsvc.exe' - '23' Module(s) have been scanned
    Scan process 'svchost.exe' - '37' Module(s) have been scanned
    Scan process 'svchost.exe' - '151' Module(s) have been scanned
    Scan process 'svchost.exe' - '115' Module(s) have been scanned
    Scan process 'winlogon.exe' - '30' Module(s) have been scanned
    Scan process 'svchost.exe' - '72' Module(s) have been scanned
    Scan process 'svchost.exe' - '57' Module(s) have been scanned
    Scan process 'svchost.exe' - '35' Module(s) have been scanned
    Scan process 'nvvsvc.exe' - '25' Module(s) have been scanned
    Scan process 'svchost.exe' - '40' Module(s) have been scanned
    Scan process 'lsm.exe' - '22' Module(s) have been scanned
    Scan process 'lsass.exe' - '60' Module(s) have been scanned
    Scan process 'services.exe' - '33' Module(s) have been scanned
    Scan process 'csrss.exe' - '14' Module(s) have been scanned
    Scan process 'wininit.exe' - '26' Module(s) have been scanned
    Scan process 'csrss.exe' - '14' Module(s) have been scanned
    Scan process 'smss.exe' - '2' Module(s) have been scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!
    Boot sector 'D:\'
    [INFO] No virus was found!

    Starting to scan executable files (registry).
    The registry was scanned ( '1845' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\13E62A64-00003EEA.eml
    [0] Archive type: MIME
    [DETECTION] Is the TR/Spy.ZBot.HNO Trojan
    --> Gift_Certificate_131.zip
    [1] Archive type: ZIP
    --> Gift_Certificate_131.exe
    [DETECTION] Is the TR/Spy.ZBot.HNO Trojan
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\23186D38-00003EE4.eml
    [0] Archive type: MIME
    [DETECTION] Is the TR/Spy.ZBot.HNO Trojan
    --> Gift_Certificate_131.zip
    [1] Archive type: ZIP
    --> Gift_Certificate_131.exe
    [DETECTION] Is the TR/Spy.ZBot.HNO Trojan
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\00294823-0000064C.eml
    [0] Archive type: MIME
    [DETECTION] Is the TR/Agent.APDA Trojan
    --> file1.mim
    [1] Archive type: MIME
    --> UPS_invoice_4794.zip
    [2] Archive type: ZIP
    --> UPS_invoice_4794.exe
    [DETECTION] Is the TR/Agent.APDA Trojan
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\1C2B7AFD-000005F9.eml
    [0] Archive type: MIME
    [DETECTION] Is the TR/Agent.APDA Trojan
    --> UPS_invoice_4794.zip
    [1] Archive type: ZIP
    --> UPS_invoice_4794.exe
    [DETECTION] Is the TR/Agent.APDA Trojan
    C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp
    [DETECTION] Is the TR/Vundo.Gen Trojan
    Begin scan in 'D:\' <RECOVERY>
    D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com
    [DETECTION] Is the TR/Dropper.Gen Trojan

    Beginning disinfection:
    D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '49921ed6.qua'.
    C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp
    [DETECTION] Is the TR/Vundo.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '514131b1.qua'.
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\1C2B7AFD-000005F9.eml
    [DETECTION] Is the TR/Agent.APDA Trojan
    [NOTE] The file was moved to the quarantine directory under the name '03586b77.qua'.
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\00294823-0000064C.eml
    [DETECTION] Is the TR/Agent.APDA Trojan
    [NOTE] The file was moved to the quarantine directory under the name '656f24a6.qua'.
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\23186D38-00003EE4.eml
    [DETECTION] Is the TR/Spy.ZBot.HNO Trojan
    [NOTE] The file was moved to the quarantine directory under the name '20ec099b.qua'.
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\13E62A64-00003EEA.eml
    [DETECTION] Is the TR/Spy.ZBot.HNO Trojan
    [NOTE] The file was moved to the quarantine directory under the name '5fc33bfa.qua'.


    End of the scan: Tuesday, November 16, 2010 12:07
    Used time: 2:25:07 Hour(s)

    The scan has been done completely.

    30178 Scanned directories
    630421 Files were scanned
    6 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    6 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    630415 Files not concerned
    25706 Archives were scanned
    0 Warnings
    6 Notes
    710258 Objects were scanned with rootkit scan
    0 Hidden objects were found

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=95afe8dbe67aed48b82a93ef9dfd61ee
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-16 04:14:35
    # local_time=2010-11-15 11:14:35 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=5892 16776573 100 100 0 126477937 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=250549
    # found=3
    # cleaned=0
    # scan_time=10466
    C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp a variant of Win32/Kryptik.GL trojan 00000000000000000000000000000000 I
    C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp Win32/Olmarik.LT virus 00000000000000000000000000000000 I
    D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com a variant of Win32/Kryptik.GL trojan 00000000000000000000000000000000 I
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=95afe8dbe67aed48b82a93ef9dfd61ee
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-16 08:12:09
    # local_time=2010-11-16 03:12:09 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=1024 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16775165 100 94 0 25517381 0 0
    # compatibility_mode=5892 16776573 100 100 0 126535160 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=251108
    # found=1
    # cleaned=0
    # scan_time=10697
    C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp Win32/Olmarik.LT virus 00000000000000000000000000000000 I
  8. wildbilliii

    wildbilliii Newcomer, in training Topic Starter Posts: 17

    Avira AntiVir Personal
    Report file date: Tuesday, November 16, 2010 08:44

    Scanning for 3056103 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows Vista
    Windows version : (Service Pack 2) [6.0.6002]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : STACY-PC

    Version information:
    BUILD.DAT : 10.0.0.592 31823 Bytes 8/9/2010 11:00:00
    AVSCAN.EXE : 10.0.3.1 434344 Bytes 8/2/2010 21:09:56
    AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04
    LUKE.DLL : 10.0.2.3 104296 Bytes 8/2/2010 21:10:00
    LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36
    VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 01:27:49
    VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:37:42
    VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 22:37:42
    VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 17:29:03
    VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 21:10:03
    VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 21:10:04
    VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 21:10:06
    VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 13:26:39
    VBASE009.VDF : 7.10.13.80 2265600 Bytes 11/2/2010 13:26:43
    VBASE010.VDF : 7.10.13.81 2048 Bytes 11/2/2010 13:26:43
    VBASE011.VDF : 7.10.13.82 2048 Bytes 11/2/2010 13:26:43
    VBASE012.VDF : 7.10.13.83 2048 Bytes 11/2/2010 13:26:43
    VBASE013.VDF : 7.10.13.116 147968 Bytes 11/4/2010 13:26:44
    VBASE014.VDF : 7.10.13.147 146944 Bytes 11/7/2010 13:26:45
    VBASE015.VDF : 7.10.13.180 123904 Bytes 11/9/2010 13:26:46
    VBASE016.VDF : 7.10.13.211 122368 Bytes 11/11/2010 13:26:46
    VBASE017.VDF : 7.10.13.243 147456 Bytes 11/15/2010 13:26:47
    VBASE018.VDF : 7.10.13.244 2048 Bytes 11/15/2010 13:26:47
    VBASE019.VDF : 7.10.13.245 2048 Bytes 11/15/2010 13:26:47
    VBASE020.VDF : 7.10.13.246 2048 Bytes 11/15/2010 13:26:47
    VBASE021.VDF : 7.10.13.247 2048 Bytes 11/15/2010 13:26:47
    VBASE022.VDF : 7.10.13.248 2048 Bytes 11/15/2010 13:26:47
    VBASE023.VDF : 7.10.13.249 2048 Bytes 11/15/2010 13:26:47
    VBASE024.VDF : 7.10.13.250 2048 Bytes 11/15/2010 13:26:48
    VBASE025.VDF : 7.10.13.251 2048 Bytes 11/15/2010 13:26:48
    VBASE026.VDF : 7.10.13.252 2048 Bytes 11/15/2010 13:26:48
    VBASE027.VDF : 7.10.13.253 2048 Bytes 11/15/2010 13:26:48
    VBASE028.VDF : 7.10.13.254 2048 Bytes 11/15/2010 13:26:48
    VBASE029.VDF : 7.10.13.255 2048 Bytes 11/15/2010 13:26:48
    VBASE030.VDF : 7.10.14.0 2048 Bytes 11/15/2010 13:26:49
    VBASE031.VDF : 7.10.14.10 91136 Bytes 11/16/2010 13:26:49
    Engineversion : 8.2.4.98
    AEVDF.DLL : 8.1.2.1 106868 Bytes 8/2/2010 21:09:54
    AESCRIPT.DLL : 8.1.3.46 1364347 Bytes 11/16/2010 13:26:57
    AESCN.DLL : 8.1.6.1 127347 Bytes 8/2/2010 21:09:53
    AESBX.DLL : 8.1.3.1 254324 Bytes 8/2/2010 21:09:53
    AERDL.DLL : 8.1.9.2 635252 Bytes 11/16/2010 13:26:56
    AEPACK.DLL : 8.2.3.11 471416 Bytes 11/16/2010 13:26:56
    AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/2/2010 21:09:52
    AEHEUR.DLL : 8.1.2.41 3043703 Bytes 11/16/2010 13:26:55
    AEHELP.DLL : 8.1.14.0 246134 Bytes 11/16/2010 13:26:52
    AEGEN.DLL : 8.1.3.24 401781 Bytes 11/16/2010 13:26:50
    AEEMU.DLL : 8.1.2.0 393588 Bytes 8/2/2010 21:09:49
    AECORE.DLL : 8.1.17.0 196982 Bytes 11/16/2010 13:26:50
    AEBB.DLL : 8.1.1.0 53618 Bytes 8/2/2010 21:09:48
    AVWINLL.DLL : 10.0.0.0 19304 Bytes 8/2/2010 21:09:56
    AVPREF.DLL : 10.0.0.0 44904 Bytes 8/2/2010 21:09:55
    AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 20:27:13
    AVREG.DLL : 10.0.3.2 53096 Bytes 8/2/2010 21:09:55
    AVSCPLR.DLL : 10.0.3.1 83816 Bytes 8/2/2010 21:09:56
    AVARKT.DLL : 10.0.0.14 227176 Bytes 8/2/2010 21:09:54
    AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 8/2/2010 21:09:55
    SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 20:27:22
    AVSMTP.DLL : 10.0.0.17 63848 Bytes 8/2/2010 21:09:56
    NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 20:27:21
    RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20
    RCTEXT.DLL : 10.0.58.0 97128 Bytes 8/2/2010 21:10:08

    Configuration settings for the scan:
    Jobname.............................: Complete system scan
    Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:, D:,
    Process scan........................: on
    Extended process scan...............: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium

    Start of the scan: Tuesday, November 16, 2010 08:44

    Starting search for hidden objects.

    The scan of running processes will be started
    Scan process 'svchost.exe' - '30' Module(s) have been scanned
    Scan process 'vssvc.exe' - '49' Module(s) have been scanned
    Scan process 'avscan.exe' - '77' Module(s) have been scanned
    Scan process 'avcenter.exe' - '65' Module(s) have been scanned
    Scan process 'avgnt.exe' - '58' Module(s) have been scanned
    Scan process 'sched.exe' - '56' Module(s) have been scanned
    Scan process 'avshadow.exe' - '33' Module(s) have been scanned
    Scan process 'avguard.exe' - '65' Module(s) have been scanned
    Scan process 'iexplore.exe' - '154' Module(s) have been scanned
    Scan process 'hpswp_clipbook.exe' - '28' Module(s) have been scanned
    Scan process 'iexplore.exe' - '144' Module(s) have been scanned
    Scan process 'iexplore.exe' - '75' Module(s) have been scanned
    Scan process 'hphc_service.exe' - '27' Module(s) have been scanned
    Scan process 'SynTPHelper.exe' - '13' Module(s) have been scanned
    Scan process 'HpqToaster.exe' - '28' Module(s) have been scanned
    Scan process 'iPodService.exe' - '30' Module(s) have been scanned
    Scan process 'Com4QLBEx.exe' - '18' Module(s) have been scanned
    Scan process 'WiFiMsg.EXE' - '36' Module(s) have been scanned
    Scan process 'DllHost.exe' - '52' Module(s) have been scanned
    Scan process 'WLIDSvcM.exe' - '16' Module(s) have been scanned
    Scan process 'ArcCon.ac' - '62' Module(s) have been scanned
    Scan process 'ehmsas.exe' - '26' Module(s) have been scanned
    Scan process 'ONENOTEM.EXE' - '18' Module(s) have been scanned
    Scan process 'FilterAgent.exe' - '36' Module(s) have been scanned
    Scan process 'wmiprvse.exe' - '34' Module(s) have been scanned
    Scan process 'Skype.exe' - '106' Module(s) have been scanned
    Scan process 'ehtray.exe' - '29' Module(s) have been scanned
    Scan process 'ACDaemon.exe' - '45' Module(s) have been scanned
    Scan process 'EEventManager.exe' - '31' Module(s) have been scanned
    Scan process 'hpqwmiex.exe' - '32' Module(s) have been scanned
    Scan process 'jusched.exe' - '22' Module(s) have been scanned
    Scan process 'iTunesHelper.exe' - '75' Module(s) have been scanned
    Scan process 'HPWAMain.exe' - '42' Module(s) have been scanned
    Scan process 'QLBCTRL.exe' - '52' Module(s) have been scanned
    Scan process 'MSASCui.exe' - '72' Module(s) have been scanned
    Scan process 'SynTPEnh.exe' - '40' Module(s) have been scanned
    Scan process 'svchost.exe' - '46' Module(s) have been scanned
    Scan process 'xaudio.exe' - '14' Module(s) have been scanned
    Scan process 'SearchIndexer.exe' - '64' Module(s) have been scanned
    Scan process 'WLIDSVC.EXE' - '52' Module(s) have been scanned
    Scan process 'svchost.exe' - '7' Module(s) have been scanned
    Scan process 'svchost.exe' - '44' Module(s) have been scanned
    Scan process 'SCAppMgr.exe' - '63' Module(s) have been scanned
    Scan process 'RichVideo.exe' - '19' Module(s) have been scanned
    Scan process 'taskeng.exe' - '49' Module(s) have been scanned
    Scan process 'BLService.exe' - '25' Module(s) have been scanned
    Scan process 'svchost.exe' - '42' Module(s) have been scanned
    Scan process 'svchost.exe' - '22' Module(s) have been scanned
    Scan process 'svchost.exe' - '22' Module(s) have been scanned
    Scan process 'lxdvcoms.exe' - '36' Module(s) have been scanned
    Scan process 'LSSrvc.exe' - '23' Module(s) have been scanned
    Scan process 'svchost.exe' - '35' Module(s) have been scanned
    Scan process 'mDNSResponder.exe' - '30' Module(s) have been scanned
    Scan process 'AppleMobileDeviceService.exe' - '31' Module(s) have been scanned
    Scan process 'taskeng.exe' - '81' Module(s) have been scanned
    Scan process 'ACService.exe' - '24' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '132' Module(s) have been scanned
    Scan process 'Dwm.exe' - '32' Module(s) have been scanned
    Scan process 'WLANExt.exe' - '45' Module(s) have been scanned
    Scan process 'svchost.exe' - '58' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '94' Module(s) have been scanned
    Scan process 'svchost.exe' - '94' Module(s) have been scanned
    Scan process 'nvvsvc.exe' - '41' Module(s) have been scanned
    Scan process 'svchost.exe' - '87' Module(s) have been scanned
    Scan process 'SLsvc.exe' - '23' Module(s) have been scanned
    Scan process 'svchost.exe' - '37' Module(s) have been scanned
    Scan process 'svchost.exe' - '151' Module(s) have been scanned
    Scan process 'svchost.exe' - '115' Module(s) have been scanned
    Scan process 'winlogon.exe' - '30' Module(s) have been scanned
    Scan process 'svchost.exe' - '72' Module(s) have been scanned
    Scan process 'svchost.exe' - '57' Module(s) have been scanned
    Scan process 'svchost.exe' - '35' Module(s) have been scanned
    Scan process 'nvvsvc.exe' - '25' Module(s) have been scanned
    Scan process 'svchost.exe' - '40' Module(s) have been scanned
    Scan process 'lsm.exe' - '22' Module(s) have been scanned
    Scan process 'lsass.exe' - '60' Module(s) have been scanned
    Scan process 'services.exe' - '33' Module(s) have been scanned
    Scan process 'csrss.exe' - '14' Module(s) have been scanned
    Scan process 'wininit.exe' - '26' Module(s) have been scanned
    Scan process 'csrss.exe' - '14' Module(s) have been scanned
    Scan process 'smss.exe' - '2' Module(s) have been scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!
    Boot sector 'D:\'
    [INFO] No virus was found!

    Starting to scan executable files (registry).
    The registry was scanned ( '1845' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\13E62A64-00003EEA.eml
    [0] Archive type: MIME
    [DETECTION] Is the TR/Spy.ZBot.HNO Trojan
    --> Gift_Certificate_131.zip
    [1] Archive type: ZIP
    --> Gift_Certificate_131.exe
    [DETECTION] Is the TR/Spy.ZBot.HNO Trojan
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\23186D38-00003EE4.eml
    [0] Archive type: MIME
    [DETECTION] Is the TR/Spy.ZBot.HNO Trojan
    --> Gift_Certificate_131.zip
    [1] Archive type: ZIP
    --> Gift_Certificate_131.exe
    [DETECTION] Is the TR/Spy.ZBot.HNO Trojan
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\00294823-0000064C.eml
    [0] Archive type: MIME
    [DETECTION] Is the TR/Agent.APDA Trojan
    --> file1.mim
    [1] Archive type: MIME
    --> UPS_invoice_4794.zip
    [2] Archive type: ZIP
    --> UPS_invoice_4794.exe
    [DETECTION] Is the TR/Agent.APDA Trojan
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\1C2B7AFD-000005F9.eml
    [0] Archive type: MIME
    [DETECTION] Is the TR/Agent.APDA Trojan
    --> UPS_invoice_4794.zip
    [1] Archive type: ZIP
    --> UPS_invoice_4794.exe
    [DETECTION] Is the TR/Agent.APDA Trojan
    C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp
    [DETECTION] Is the TR/Vundo.Gen Trojan
    Begin scan in 'D:\' <RECOVERY>
    D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com
    [DETECTION] Is the TR/Dropper.Gen Trojan

    Beginning disinfection:
    D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '49921ed6.qua'.
    C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp
    [DETECTION] Is the TR/Vundo.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '514131b1.qua'.
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\1C2B7AFD-000005F9.eml
    [DETECTION] Is the TR/Agent.APDA Trojan
    [NOTE] The file was moved to the quarantine directory under the name '03586b77.qua'.
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\00294823-0000064C.eml
    [DETECTION] Is the TR/Agent.APDA Trojan
    [NOTE] The file was moved to the quarantine directory under the name '656f24a6.qua'.
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\23186D38-00003EE4.eml
    [DETECTION] Is the TR/Spy.ZBot.HNO Trojan
    [NOTE] The file was moved to the quarantine directory under the name '20ec099b.qua'.
    C:\Users\Stacy\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\13E62A64-00003EEA.eml
    [DETECTION] Is the TR/Spy.ZBot.HNO Trojan
    [NOTE] The file was moved to the quarantine directory under the name '5fc33bfa.qua'.


    End of the scan: Tuesday, November 16, 2010 12:07
    Used time: 2:25:07 Hour(s)

    The scan has been done completely.

    30178 Scanned directories
    630421 Files were scanned
    6 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    6 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    630415 Files not concerned
    25706 Archives were scanned
    0 Warnings
    6 Notes
    710258 Objects were scanned with rootkit scan
    0 Hidden objects were found

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=95afe8dbe67aed48b82a93ef9dfd61ee
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-16 04:14:35
    # local_time=2010-11-15 11:14:35 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=5892 16776573 100 100 0 126477937 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=250549
    # found=3
    # cleaned=0
    # scan_time=10466
    C:\Users\Stacy\AppData\Local\Temp\tmp7DE.tmp a variant of Win32/Kryptik.GL trojan 00000000000000000000000000000000 I
    C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp Win32/Olmarik.LT virus 00000000000000000000000000000000 I
    D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com a variant of Win32/Kryptik.GL trojan 00000000000000000000000000000000 I
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=95afe8dbe67aed48b82a93ef9dfd61ee
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-16 08:12:09
    # local_time=2010-11-16 03:12:09 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=1024 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16775165 100 94 0 25517381 0 0
    # compatibility_mode=5892 16776573 100 100 0 126535160 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=251108
    # found=1
    # cleaned=0
    # scan_time=10697
    C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp Win32/Olmarik.LT virus 00000000000000000000000000000000 I
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The second submission of the Eset log is the full log- did you note the difference?

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Files 
      C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===================================================
    For this: D:\RECYCLER\S-4-2-38-100014665-100025770-100003339-9018.com a variant of Win32/Kryptik.GL trojan
    The Recycler is a hidden system folder. Although the programs may say 'deleted' or 'quarantined', there is a special way to remove an entry. The Recycler is where the Recycle Bin puts the files and folders that are deleted.To remove the infected files, 2 steps must be done first:
    1. The Recycle Bin must be empty so be sure to do that right before bringing up the Recycler.
    2. Show Hidden Folders/Files using Windows Explorer
    Open Windows Explorer: Windows key + E>
    • Open My Computer.
    • Go to Tools > Folder Options.
    • Select the View tab.
    • Scroll down to Hidden files and folders.
    • Select Show hidden files and folders.
    • Uncheck (untick) Hide extensions of known file types.
    • Uncheck (untick) Hide protected operating system files (Recommended).
    • Click Yes when prompted.
    • Click OK.
    With Windows Explorer still open, scroll down to the Recycler on the left and double click on it to open.
    • Look on the right screen for the SID S-4-2-38-100014665-100025770-100003339-9018
    • Do a right click> Delete on the numerical string.
    • Close Windows Explorer
    Reset Hidden/System Files & Folders
    ===============================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ==================================
    Please don't run any scans unless I request them.
  10. wildbilliii

    wildbilliii Newcomer, in training Topic Starter Posts: 17

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Users\Stacy\AppData\Local\Temp\tmp7FE.tmp moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public

    User: Stacy
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 10235764 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 957 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 128620 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 69264 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 10.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 11162010_192410

    Files moved on Reboot...

    Registry entries deleted on Reboot...

    ComboFix 10-11-16.02 - Stacy 11/16/2010 19:45:19.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.1020 [GMT -5:00]
    Running from: c:\users\Stacy\Desktop\ComboFix.exe
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Stacy\g2mdlhlpx.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 )))))))))))))))))))))))))))))))
    .

    2010-11-17 00:57 . 2010-11-17 00:57 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-11-17 00:24 . 2010-11-17 00:24 -------- d-----w- C:\_OTM
    2010-11-16 17:12 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B7BC6D6D-13D3-4314-BDCE-071C6568FA94}\mpengine.dll
    2010-11-16 13:42 . 2010-11-16 13:42 -------- d-----w- c:\users\Stacy\AppData\Roaming\Avira
    2010-11-16 13:25 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-16 13:25 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-11-16 13:25 . 2010-11-16 13:25 -------- d-----w- c:\programdata\Avira
    2010-11-16 13:25 . 2010-11-16 13:25 -------- d-----w- c:\program files\Avira
    2010-11-16 11:33 . 2010-11-16 11:33 -------- d-----w- c:\users\Stacy\AppData\Roaming\AVG10
    2010-11-16 11:31 . 2010-11-16 11:31 -------- d--h--w- c:\programdata\Common Files
    2010-11-16 11:30 . 2010-11-16 12:28 -------- d-----w- c:\programdata\AVG10
    2010-11-16 11:28 . 2010-11-16 11:28 -------- d-----w- c:\program files\AVG
    2010-11-16 11:25 . 2010-11-16 11:28 -------- d-----w- c:\programdata\MFAData
    2010-11-16 01:16 . 2010-11-16 01:16 -------- d-----w- c:\program files\ESET
    2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\users\Stacy\AppData\Roaming\SUPERAntiSpyware.com
    2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-11-09 19:25 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2010-11-08 03:09 . 2010-11-08 03:09 -------- d-----w- c:\windows\system32\20-20 Technologies
    2010-10-27 11:59 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-27 11:59 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-27 11:59 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 15:41 . 2009-10-02 15:58 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-13 13:56 . 2010-10-14 14:12 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-08 06:01 . 2010-10-14 14:11 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 05:57 . 2010-10-14 14:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 05:57 . 2010-10-14 14:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 05:56 . 2010-10-14 14:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-09-08 05:56 . 2010-10-14 14:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-09-08 05:04 . 2010-10-14 14:11 385024 ----a-w- c:\windows\system32\html.iec
    2010-09-08 04:26 . 2010-10-14 14:11 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-09-08 04:25 . 2010-10-14 14:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-09-06 16:20 . 2010-10-14 14:12 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-09-06 16:19 . 2010-10-14 14:12 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-09-06 13:45 . 2010-10-14 14:12 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-09-06 13:45 . 2010-10-14 14:12 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-09-06 13:45 . 2010-10-14 14:12 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-08-31 15:46 . 2010-10-14 14:11 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:46 . 2010-10-14 14:11 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:44 . 2010-10-14 14:11 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:27 . 2010-10-14 14:11 2038272 ----a-w- c:\windows\system32\win32k.sys
    2010-08-26 16:37 . 2010-10-14 14:11 157184 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-26 16:33 . 2010-10-27 11:59 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2010-08-26 16:33 . 2010-10-27 11:59 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2010-08-26 16:33 . 2010-10-27 11:59 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
    2010-08-26 16:33 . 2010-10-27 11:59 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
    2010-08-20 16:05 . 2010-10-14 14:11 867328 ----a-w- c:\windows\system32\wmpmde.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21634344]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
    "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

    c:\users\Stacy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
    Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
    Worldspan Filter Agent.lnk - c:\wspan\swgw\FilterAgent.exe [2009-2-28 127044]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanUpdate]
    2008-05-02 20:39 77824 ------w- c:\program files\Netgear Update Assistant\LANUpdate.exe

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [2007-10-18 98984]
    R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
    R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-08-11 33024]
    R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-08-11 41344]
    R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-08-11 39936]
    R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-08-11 59904]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-08-02 135336]
    S2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe [2007-10-18 594600]
    S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
    S2 SCAppMgr;Smart Client App Manager;c:\program files\Ellie Mae\SCAppMgr\SCAppMgr.exe [2010-04-20 65536]
    S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-06-27 66080]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - SSMDRV

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-17 c:\windows\Tasks\User_Feed_Synchronization-{867F16FA-928E-4639-845D-74FAB36F9873}.job
    - c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Trusted Zone: worldspan.com
    Trusted Zone: wspan.com
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-16 19:57
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-11-16 20:03:38
    ComboFix-quarantined-files.txt 2010-11-17 01:03

    Pre-Run: 62,567,206,912 bytes free
    Post-Run: 62,775,189,504 bytes free

    - - End Of File - - 49A59A4CCDD5253E41C15DD4105356C0
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have processes for both Avira and AVG10 running. Please uninstall one of them. How is it that neither shows in the list of your installed programs?
    2010-11-16 11:28 -------- d-----w- c:\program files\AVG
    2010-11-16 13:25 -------- d-----w- c:\program files\Avira


    And the Combofix header shows:
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    But there is no reference to either one of these AV programs being disabled for the scan.
    =========================================
    Download Security Check and save it to your Desktop.
    • Double-click SecurityCheck.exe to run.
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post this log in your next reply.
    =======================================
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    
    DDS::
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UpdateLBPShortCut"=-
    "UpdatePSTShortCut"=-
    "UpdateP2GoShortCut"=-
    "UpdatePDIRShortCut"=-
    
    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
     
  12. wildbilliii

    wildbilliii Newcomer, in training Topic Starter Posts: 17

    I had uninstalled AVG in favor of Avira, not sure how to further the uninstall of AVG to stop the processes. Don't have an answer for why they don't show in installed programs.

    Proceding with other instructions now.
  13. wildbilliii

    wildbilliii Newcomer, in training Topic Starter Posts: 17

    Thanks for your help with all this Bobbye!!

    Results of screen317's Security Check version 0.99.5
    Windows Vista Service Pack 2 (UAC is disabled!)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    Avira AntiVir Personal - Free Antivirus
    ESET Online Scanner v3
    Norton Internet Security
    WMI entry may not exist for antivirus; attempting automatic update.
    Avira successfully updated!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 17
    Out of date Java installed!
    Adobe Flash Player
    Adobe Reader 8
    Adobe Reader 9.1
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSASCui.exe
    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    Windows Defender MSASCui.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````


    ComboFix 10-11-16.05 - Stacy 11/17/2010 8:31.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.841 [GMT -5:00]
    Running from: c:\users\Stacy\Desktop\ComboFix.exe
    Command switches used :: c:\users\Stacy\Desktop\CFScript.txt
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Stacy\AppData\Local\Temp\ppcrlui_4604_2

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 )))))))))))))))))))))))))))))))
    .

    2010-11-17 13:43 . 2010-11-17 13:43 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-11-17 00:24 . 2010-11-17 00:24 -------- d-----w- C:\_OTM
    2010-11-16 17:12 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B7BC6D6D-13D3-4314-BDCE-071C6568FA94}\mpengine.dll
    2010-11-16 13:42 . 2010-11-16 13:42 -------- d-----w- c:\users\Stacy\AppData\Roaming\Avira
    2010-11-16 13:25 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-16 13:25 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-11-16 13:25 . 2010-11-16 13:25 -------- d-----w- c:\programdata\Avira
    2010-11-16 13:25 . 2010-11-16 13:25 -------- d-----w- c:\program files\Avira
    2010-11-16 11:33 . 2010-11-16 11:33 -------- d-----w- c:\users\Stacy\AppData\Roaming\AVG10
    2010-11-16 11:31 . 2010-11-16 11:31 -------- d--h--w- c:\programdata\Common Files
    2010-11-16 11:30 . 2010-11-16 12:28 -------- d-----w- c:\programdata\AVG10
    2010-11-16 11:28 . 2010-11-16 11:28 -------- d-----w- c:\program files\AVG
    2010-11-16 11:25 . 2010-11-16 11:28 -------- d-----w- c:\programdata\MFAData
    2010-11-16 01:16 . 2010-11-16 01:16 -------- d-----w- c:\program files\ESET
    2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\users\Stacy\AppData\Roaming\SUPERAntiSpyware.com
    2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-11-09 19:25 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2010-11-08 03:09 . 2010-11-08 03:09 -------- d-----w- c:\windows\system32\20-20 Technologies
    2010-10-27 11:59 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-27 11:59 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-27 11:59 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 15:41 . 2009-10-02 15:58 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-13 13:56 . 2010-10-14 14:12 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-08 06:01 . 2010-10-14 14:11 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 05:57 . 2010-10-14 14:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 05:57 . 2010-10-14 14:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 05:56 . 2010-10-14 14:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-09-08 05:56 . 2010-10-14 14:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-09-08 05:04 . 2010-10-14 14:11 385024 ----a-w- c:\windows\system32\html.iec
    2010-09-08 04:26 . 2010-10-14 14:11 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-09-08 04:25 . 2010-10-14 14:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-09-06 16:20 . 2010-10-14 14:12 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-09-06 16:19 . 2010-10-14 14:12 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-09-06 13:45 . 2010-10-14 14:12 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-09-06 13:45 . 2010-10-14 14:12 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-09-06 13:45 . 2010-10-14 14:12 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-08-31 15:46 . 2010-10-14 14:11 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:46 . 2010-10-14 14:11 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:44 . 2010-10-14 14:11 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:27 . 2010-10-14 14:11 2038272 ----a-w- c:\windows\system32\win32k.sys
    2010-08-26 16:37 . 2010-10-14 14:11 157184 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-26 16:33 . 2010-10-27 11:59 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2010-08-26 16:33 . 2010-10-27 11:59 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2010-08-26 16:33 . 2010-10-27 11:59 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
    2010-08-26 16:33 . 2010-10-27 11:59 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
    2010-08-20 16:05 . 2010-10-14 14:11 867328 ----a-w- c:\windows\system32\wmpmde.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21634344]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

    c:\users\Stacy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
    Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
    Worldspan Filter Agent.lnk - c:\wspan\swgw\FilterAgent.exe [2009-2-28 127044]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanUpdate]
    2008-05-02 20:39 77824 ------w- c:\program files\Netgear Update Assistant\LANUpdate.exe

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [2007-10-18 98984]
    R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
    R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-08-11 33024]
    R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-08-11 41344]
    R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-08-11 39936]
    R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-08-11 59904]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-08-02 135336]
    S2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe [2007-10-18 594600]
    S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
    S2 SCAppMgr;Smart Client App Manager;c:\program files\Ellie Mae\SCAppMgr\SCAppMgr.exe [2010-04-20 65536]
    S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-06-27 66080]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - SSMDRV

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-17 c:\windows\Tasks\User_Feed_Synchronization-{867F16FA-928E-4639-845D-74FAB36F9873}.job
    - c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Trusted Zone: worldspan.com
    Trusted Zone: wspan.com
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-17 08:43
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\TEMP\TMP000000BD7CE03C18CB20D20C 524288 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-11-17 08:47:39
    ComboFix-quarantined-files.txt 2010-11-17 13:47
    ComboFix2.txt 2010-11-17 01:03

    Pre-Run: 62,726,090,752 bytes free
    Post-Run: 62,718,414,848 bytes free

    - - End Of File - - 9EF48E7063BA1B6F06A8C9DB339303A0
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Removal tools for programs you don't want to keep:
    Norton Removal Tool
    AVG Removal: Note: You may have to reinstall AVG to uninstall it fully

    You are also still running AVG10.>> 4 antivirus The Security Check didn't pick it up.>. uninstall

    RULE: One antivirus, one firewall. Remove others.
    Update as indicated.

    Handle these please while I check Combofix.
  15. wildbilliii

    wildbilliii Newcomer, in training Topic Starter Posts: 17

    Windows firewall>On
    Nortons>uninstalled
    AVG>uninstalled
    ESET>uninstalled
    Java>v6.22
    Flashplayer>uninstalled and updated
    Adobe Reader 8>uninstalled

    One Antivirus: Avira
    One Firewall: Windows Firewall

    I did not install AVG to uninstall it, just ran the AVG removal. They required an uninstall of Avira to install the AVG.
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\TEMP\TMP000000BD7CE03C18CB20D20C
    Folder::
    c:\users\Stacy\AppData\Roaming\AVG10
    c:\programdata\Common Files
    c:\programdata\AVG10
    c:\program files\AVG
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
  17. wildbilliii

    wildbilliii Newcomer, in training Topic Starter Posts: 17

    okie Dokey here we go...

    ComboFix 10-11-18.04 - Stacy 11/19/2010 9:22.3.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.1012 [GMT -5:00]
    Running from: c:\users\Stacy\Desktop\ComboFix.exe
    Command switches used :: c:\users\Stacy\Desktop\cfscript.txt
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    FILE ::
    "c:\windows\TEMP\TMP000000BD7CE03C18CB20D20C"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\AVG
    c:\program files\AVG\AVG10\avgfree_zh.mht
    c:\program files\AVG\AVG10\avgfree_zt.mht
    c:\program files\AVG\AVG10\Notification\avgxobni_installerxTE.exe
    c:\program files\AVG\AVG10\Notification\XobniMiniAVGSetup.exe
    c:\programdata\AVG10
    c:\programdata\AVG10\Cfg\admin.cfg
    c:\programdata\AVG10\Cfg\changecfgreg.cfg
    c:\programdata\AVG10\Cfg\csl.cfg
    c:\programdata\AVG10\Cfg\emssrv.cfg
    c:\programdata\AVG10\Cfg\erd.cfg
    c:\programdata\AVG10\Cfg\idp.cfg
    c:\programdata\AVG10\Cfg\krnl.cfg
    c:\programdata\AVG10\Cfg\mail.cfg
    c:\programdata\AVG10\Cfg\mailsrv.cfg
    c:\programdata\AVG10\Cfg\mailsrvvsapi.cfg
    c:\programdata\AVG10\Cfg\malrep.cfg
    c:\programdata\AVG10\Cfg\scan.cfg
    c:\programdata\AVG10\Cfg\sched.cfg
    c:\programdata\AVG10\Cfg\setup.cfg
    c:\programdata\AVG10\Cfg\spsrv.cfg
    c:\programdata\AVG10\Cfg\update.cfg
    c:\programdata\AVG10\Cfg\updatecomps.cfg
    c:\programdata\AVG10\Cfg\user.cfg
    c:\programdata\AVG10\cfgall\falsealarm.cfg
    c:\programdata\AVG10\cfgall\krnlall.cfg
    c:\programdata\AVG10\cfgall\updateall.cfg
    c:\programdata\AVG10\cfgall\userall.cfg
    c:\programdata\AVG10\log\avgcfg.log
    c:\programdata\AVG10\log\avgcfg.log.lock
    c:\programdata\AVG10\log\avgchjw.log
    c:\programdata\AVG10\log\avgchjw.log.lock
    c:\programdata\AVG10\log\avgchjwsrv.log
    c:\programdata\AVG10\log\avgchjwsrv.log.lock
    c:\programdata\AVG10\log\avgcore.log
    c:\programdata\AVG10\log\avgcore.log.lock
    c:\programdata\AVG10\log\avgcsl.log
    c:\programdata\AVG10\log\avgcsl.log.lock
    c:\programdata\AVG10\log\avgemc.log
    c:\programdata\AVG10\log\avgemc.log.lock
    c:\programdata\AVG10\log\avgexc.log
    c:\programdata\AVG10\log\avgexc.log.lock
    c:\programdata\AVG10\log\avgldr.log
    c:\programdata\AVG10\log\avgldr.log.lock
    c:\programdata\AVG10\log\avglng.log
    c:\programdata\AVG10\log\avglng.log.lock
    c:\programdata\AVG10\log\avgns.log
    c:\programdata\AVG10\log\avgns.log.lock
    c:\programdata\AVG10\log\avgpostinst.log
    c:\programdata\AVG10\log\avgpostinst.log.lock
    c:\programdata\AVG10\log\avgrs.log
    c:\programdata\AVG10\log\avgrs.log.lock
    c:\programdata\AVG10\log\avgscan.log
    c:\programdata\AVG10\log\avgscan.log.lock
    c:\programdata\AVG10\log\avgsched.log
    c:\programdata\AVG10\log\avgsched.log.lock
    c:\programdata\AVG10\log\avgsrm.log
    c:\programdata\AVG10\log\avgsrm.log.lock
    c:\programdata\AVG10\log\avgtdi.log
    c:\programdata\AVG10\log\avgtdi.log.lock
    c:\programdata\AVG10\log\avgual.log
    c:\programdata\AVG10\log\avgual.log.lock
    c:\programdata\AVG10\log\avgui.log
    c:\programdata\AVG10\log\avgui.log.lock
    c:\programdata\AVG10\log\avgupd.log
    c:\programdata\AVG10\log\avgupd.log.lock
    c:\programdata\AVG10\log\avgwd.log
    c:\programdata\AVG10\log\avgwd.log.lock
    c:\programdata\AVG10\log\avgwdsvc.log
    c:\programdata\AVG10\log\avgwdsvc.log.lock
    c:\programdata\AVG10\log\avgxobniinstaller.log
    c:\programdata\AVG10\log\commonpriv.log
    c:\programdata\AVG10\log\commonpriv.log.lock
    c:\programdata\AVG10\log\fixcfg.log
    c:\programdata\AVG10\log\fixcfg.log.lock
    c:\programdata\AVG10\log\history.xml
    c:\programdata\AVG10\log\vault.log
    c:\programdata\AVG10\log\vault.log.lock
    c:\programdata\AVG10\scanlogs\I_00000001.log
    c:\programdata\AVG10\scanlogs\I_00000005.log
    c:\programdata\AVG10\scanlogs\I_00000006.log
    c:\programdata\AVG10\scanlogs\I_00000007.log
    c:\programdata\AVG10\scanlogs\I_00000008.log
    c:\programdata\AVG10\scanlogs\I_00000009.log
    c:\programdata\AVG10\scanlogs\I_00000010.log
    c:\programdata\AVG10\scanlogs\I_00000011.log
    c:\programdata\AVG10\scanlogs\I_00000012.log
    c:\programdata\AVG10\scanlogs\I_00000013.log
    c:\programdata\AVG10\scanlogs\I_00000014.log
    c:\programdata\AVG10\scanlogs\I_00000015.log
    c:\programdata\AVG10\scanlogs\I_00000016.log
    c:\programdata\AVG10\scanlogs\srm.idx
    c:\programdata\Common Files
    c:\programdata\Common Files\9D37C3F1-C0F8-23F3-3AA7-27D37C423B51.dat
    c:\users\Stacy\AppData\Roaming\AVG10
    c:\users\Stacy\AppData\Roaming\AVG10\cfgall\usergui.cfg

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
    .

    2010-11-19 14:34 . 2010-11-19 14:34 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-11-19 13:58 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{30A32AB8-9782-4DFF-80DC-C35398950512}\mpengine.dll
    2010-11-17 20:11 . 2010-11-17 20:11 -------- d-----w- c:\program files\Common Files\Java
    2010-11-17 20:11 . 2010-11-17 20:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-17 00:24 . 2010-11-17 00:24 -------- d-----w- C:\_OTM
    2010-11-16 13:42 . 2010-11-16 13:42 -------- d-----w- c:\users\Stacy\AppData\Roaming\Avira
    2010-11-16 13:25 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-16 13:25 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-11-16 13:25 . 2010-11-16 13:25 -------- d-----w- c:\programdata\Avira
    2010-11-16 13:25 . 2010-11-16 13:25 -------- d-----w- c:\program files\Avira
    2010-11-16 11:25 . 2010-11-16 11:28 -------- d-----w- c:\programdata\MFAData
    2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\users\Stacy\AppData\Roaming\SUPERAntiSpyware.com
    2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-11-15 20:56 . 2010-11-15 20:56 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-11-09 19:25 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2010-11-08 03:09 . 2010-11-08 03:09 -------- d-----w- c:\windows\system32\20-20 Technologies
    2010-10-27 11:59 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-27 11:59 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-27 11:59 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 15:41 . 2009-10-02 15:58 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-13 13:56 . 2010-10-14 14:12 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-08 06:01 . 2010-10-14 14:11 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 05:57 . 2010-10-14 14:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 05:57 . 2010-10-14 14:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 05:56 . 2010-10-14 14:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-09-08 05:56 . 2010-10-14 14:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-09-08 05:04 . 2010-10-14 14:11 385024 ----a-w- c:\windows\system32\html.iec
    2010-09-08 04:26 . 2010-10-14 14:11 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-09-08 04:25 . 2010-10-14 14:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-09-06 16:20 . 2010-10-14 14:12 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-09-06 16:19 . 2010-10-14 14:12 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-09-06 13:45 . 2010-10-14 14:12 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-09-06 13:45 . 2010-10-14 14:12 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-09-06 13:45 . 2010-10-14 14:12 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-08-31 15:46 . 2010-10-14 14:11 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:46 . 2010-10-14 14:11 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:44 . 2010-10-14 14:11 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:27 . 2010-10-14 14:11 2038272 ----a-w- c:\windows\system32\win32k.sys
    2010-08-26 16:37 . 2010-10-14 14:11 157184 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-26 16:33 . 2010-10-27 11:59 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2010-08-26 16:33 . 2010-10-27 11:59 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2010-08-26 16:33 . 2010-10-27 11:59 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
    2010-08-26 16:33 . 2010-10-27 11:59 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21634344]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
    "EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    c:\users\Stacy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanUpdate]
    2008-05-02 20:39 77824 ------w- c:\program files\Netgear Update Assistant\LANUpdate.exe

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [2007-10-18 98984]
    R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-08-11 33024]
    R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-08-11 41344]
    R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-08-11 39936]
    R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-08-11 59904]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-08-02 135336]
    S2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe [2007-10-18 594600]
    S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
    S2 SCAppMgr;Smart Client App Manager;c:\program files\Ellie Mae\SCAppMgr\SCAppMgr.exe [2010-04-20 65536]
    S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-06-27 66080]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-19 c:\windows\Tasks\User_Feed_Synchronization-{867F16FA-928E-4639-845D-74FAB36F9873}.job
    - c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Trusted Zone: worldspan.com
    Trusted Zone: wspan.com
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-19 09:35
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-11-19 09:39:55
    ComboFix-quarantined-files.txt 2010-11-19 14:39
    ComboFix2.txt 2010-11-17 13:47
    ComboFix3.txt 2010-11-17 01:03

    Pre-Run: 62,758,768,640 bytes free
    Post-Run: 62,807,601,152 bytes free

    - - End Of File - - EE88F335B016E1ADDDCB4B9CA601058F

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:54:10 AM, on 11/19/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18975)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Epson Software\Event Manager\EEventManager.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\ehome\ehtray.exe
    C:\wspan\swgw\FilterAgent.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\DllHost.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
    O15 - Trusted Zone: http://*.worldspan.com
    O15 - Trusted Zone: http://*.wspan.com
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: lxdvCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe
    O23 - Service: lxdv_device - - C:\Windows\system32\lxdvcoms.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: Smart Client App Manager (SCAppMgr) - Ellie Mae, Inc. - C:\Program Files\Ellie Mae\SCAppMgr\SCAppMgr.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 8585 bytes
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Good job! System clean!
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    If any program we used remain, you can uninstall them in Add/Remove Programs in the Control Panel.

    Empty the Recycle Bin
    Let me know if you have any more questions.
  19. wildbilliii

    wildbilliii Newcomer, in training Topic Starter Posts: 17

    Thank you Bobbye, not only are you a handsome man, but intelligent as well.

    You made this very simple. Oh, now my wife just piped in and wants to thank you as well.

    Thanks for all your help!! :wave:
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome to both of you! Here are some tips to help you stay clean- she can use them too:

    Tips for added security and safer browsing:
    Note: Some of these programs may not work on Windows 7 or a 64 bit OS.
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
      IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.