TechSpot

My PC has a case of Sirefef

By Buddy Lee
May 28, 2012
  1. Hello.

    Today my system was running normal with no abnormal symptoms when my Microsoft Security Essentials started barking at me about a threat it had detected. So I ran a full scan and it detected and quarantined sirefef (there were a couple od sirefefs listed as AG, AK and AB I believe). After the scan was done (3 hours later) I was about to run MBAM when MSE popped another message at me that it had quarantined a threat (sirefef again). At that time I updated and ran MBAM and it seems to have stopped but I would really appreciate it if someone could take a look.

    Thanks in advance!

    P.S. - I used to have AVG installed on the system before switching to MSE but had problems with the uninstall.

    I did go through the standard initial steps and the logs are as follows:

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.05.28.01

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Buddy Lee :: APEVIA [limited]

    5/28/2012 1:41:32 AM
    mbam-log-2012-05-28 (01-41-32).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 242648
    Time elapsed: 12 minute(s), 46 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 2
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|rfdvpn (Trojan.Agent.LTGen) -> Data: rundll32.exe "C:\DOCUME~1\BUDDYL~1\LOCALS~1\Temp\rfdvpn.dll",SteamUser -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|danonc (Trojan.Agent.LTGen) -> Data: rundll32.exe "C:\DOCUME~1\BUDDYL~1\LOCALS~1\Temp\danonc.dll",ConvertMeshSubsetToStrips -> Quarantined and deleted successfully.

    Registry Data Items Detected: 1
    HKCR\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Bad: (C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\WINDOWS\assembly\GAC\Desktop.ini (Trojan.0access) -> Delete on reboot.
    C:\Documents and Settings\Buddy Lee\Local Settings\Temp\rfdvpn.dll (Trojan.Agent.LTGen) -> Delete on reboot.
    C:\Documents and Settings\Buddy Lee\Local Settings\Temp\danonc.dll (Trojan.Agent.LTGen) -> Delete on reboot.

    (end)
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-05-28 02:08:01
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 rev.
    Running: tqj56rvl.exe; Driver: C:\DOCUME~1\BUDDYL~1\LOCALS~1\Temp\pwtdrpod.sys
    ---- Disk sectors - GMER 1.0.15 ----
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
    ---- Devices - GMER 1.0.15 ----
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    ---- EOF - GMER 1.0.15 ----
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
    Run by Buddy Lee at 2:20:31 on 2012-05-28
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2614 [GMT -4:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
    C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
    C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\GIGABYTE\ET6\GUI.exe
    C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\Akamai\netsession_win.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\Akamai\netsession_win.exe
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k Akamai
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Application Updater\ApplicationUpdater.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = 127.0.0.1;127.0.0.1:9421;*.local;<local>
    uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
    TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [Google Update] "c:\documents and settings\buddy lee\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Akamai NetSession Interface] "c:\documents and settings\buddy lee\local settings\application data\akamai\netsession_win.exe"
    uRun: [Sonic RecordNow! Deluxe]
    mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
    mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
    mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
    mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
    mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [<NO NAME>]
    mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    LSP: mswsock.dll
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260049794531
    DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\buddy lee\application data\mozilla\firefox\profiles\xmqrti8r.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\documents and settings\buddy lee\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\documents and settings\buddy lee\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-6 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-6 243024]
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-4-30 218688]
    R1 MpKsl0127d349;MpKsl0127d349;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d908845-8389-41ec-a3e9-3315fcd05ce1}\MpKsl0127d349.sys [2012-5-28 29904]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2001-8-23 14336]
    R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2012-5-25 785344]
    R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-12-5 68136]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-5-18 2348352]
    R3 AODDriver;AODDriver;c:\program files\gigabyte\et6\i386\AODDriver.sys [2009-2-23 7168]
    R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2009-12-6 24944]
    R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-7-14 19720]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-6 216400]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-5 1691480]
    S3 etdrv;etdrv;c:\windows\etdrv.sys [2009-12-6 17488]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S4 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
    S4 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
    .
    =============== Created Last 30 ================
    .
    2012-05-28 06:13:2829904----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d908845-8389-41ec-a3e9-3315fcd05ce1}\MpKsl0127d349.sys
    2012-05-28 06:10:096737808----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d908845-8389-41ec-a3e9-3315fcd05ce1}\mpengine.dll
    2012-05-27 14:44:38--------d-----w-c:\documents and settings\buddy lee\local settings\application data\{61292E35-A7F7-11E1-8270-B8AC6F996F26}
    2012-05-27 12:27:55--------d-----w-c:\documents and settings\buddy lee\local settings\application data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}
    2012-05-26 01:22:286737808----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2012-05-26 01:12:35--------d-----w-c:\documents and settings\buddy lee\application data\Search Settings
    2012-05-26 01:12:30--------d-----w-c:\program files\Application Updater
    2012-05-26 01:12:29--------d-----w-c:\program files\YouTube Downloader Toolbar
    2012-05-26 01:12:29--------d-----w-c:\program files\common files\Spigot
    2012-05-18 20:55:57881984----a-w-c:\windows\system32\nvgenco32.dll
    2012-05-18 20:55:571000256----a-w-c:\windows\system32\nvdispco32.dll
    2012-05-18 16:06:09--------d-----w-c:\documents and settings\buddy lee\application data\DDMSettings
    2012-05-18 16:04:539200------w-c:\windows\system32\drivers\cdralw2k.sys
    2012-05-18 16:04:539072------w-c:\windows\system32\drivers\cdr4_xp.sys
    2012-05-18 16:04:53133616------w-c:\windows\system32\pxafs.dll
    2012-05-18 16:04:53126448------w-c:\windows\system32\pxinsi64.exe
    2012-05-18 16:04:53123888------w-c:\windows\system32\pxcpyi64.exe
    2012-05-18 16:04:24--------d-----w-c:\program files\common files\DivX Shared
    2012-05-18 15:29:26--------d-----w-c:\program files\DivX
    2012-05-18 15:27:46--------d-----w-c:\documents and settings\all users\application data\DivX
    2012-05-16 03:48:37--------d-----w-c:\program files\Diablo III
    2012-05-16 03:45:04--------d-----w-c:\documents and settings\all users\application data\Battle.net
    2012-05-11 02:26:05102248----a-w-c:\documents and settings\buddy lee\GoToAssistDownloadHelper.exe
    2012-05-11 02:17:40--------d-----w-c:\documents and settings\buddy lee\local settings\application data\Citrix
    2012-05-04 20:39:57419488----a-w-c:\windows\system32\FlashPlayerApp.exe
    .
    ==================== Find3M ====================
    .
    2012-05-28 05:58:3024944----a-w-c:\windows\system32\drivers\GVTDrv.sys
    2012-05-28 05:58:0117488----a-w-c:\windows\gdrv.sys
    2012-05-18 20:56:33293992----a-w-c:\windows\system32\nvdrsdb0.bin
    2012-05-18 20:56:331----a-w-c:\windows\system32\nvdrssel.bin
    2012-05-18 20:56:31293992----a-w-c:\windows\system32\nvdrsdb1.bin
    2012-05-04 20:39:5770304----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-11 13:14:412148352----a-w-c:\windows\system32\ntoskrnl.exe
    2012-04-11 13:12:061862272----a-w-c:\windows\system32\win32k.sys
    2012-04-11 12:35:512026496----a-w-c:\windows\system32\ntkrnlpa.exe
    2012-04-04 19:56:4022344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-03-21 00:44:12171064----a-w-c:\windows\system32\drivers\MpFilter.sys
    2012-03-03 04:53:2317488----a-w-c:\windows\etdrv.sys
    2012-03-01 11:01:32916992----a-w-c:\windows\system32\wininet.dll
    2012-03-01 11:01:3243520----a-w-c:\windows\system32\licmgr10.dll
    2012-03-01 11:01:321469440------w-c:\windows\system32\inetcpl.cpl
    2012-02-29 23:58:0065536----a-w-c:\windows\system32\OpenCL.dll
    2012-02-29 23:58:005918720----a-w-c:\windows\system32\nvcuda.dll
    2012-02-29 23:58:004309760----a-w-c:\windows\system32\nv4_disp.dll
    2012-02-29 23:58:002522944----a-w-c:\windows\system32\nvcuvid.dll
    2012-02-29 23:58:002437440----a-w-c:\windows\system32\nvcuvenc.dll
    2012-02-29 23:58:002291712----a-w-c:\windows\system32\nvapi.dll
    2012-02-29 23:58:0018624512----a-w-c:\windows\system32\nvoglnt.dll
    2012-02-29 23:58:0017534976----a-w-c:\windows\system32\nvcompiler.dll
    2012-02-29 23:58:0013417632----a-w-c:\windows\system32\drivers\nv4_mini.sys
    2012-02-29 20:30:3154272----a-w-c:\windows\system32\nvwddi.dll
    2012-02-29 20:30:2415494464----a-w-c:\windows\system32\nvcpl.dll
    2012-02-29 20:30:24143680----a-w-c:\windows\system32\nvcolor.exe
    2012-02-29 20:30:23164160----a-w-c:\windows\system32\nvsvc32.exe
    2012-02-29 20:30:23108352----a-w-c:\windows\system32\nvmctray.dll
    2012-02-29 14:10:16177664----a-w-c:\windows\system32\wintrust.dll
    2012-02-29 14:10:16148480----a-w-c:\windows\system32\imagehlp.dll
    2012-02-29 12:17:40385024----a-w-c:\windows\system32\html.iec
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600
    .
    CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
    device: opened successfully
    user: error reading MBR
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    1 ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Harddisk0\DR0[0x8B037030]
    3 CLASSPNP[0xB8118FD7] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\0000006e[0x8B026490]
    5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Ide\IdeDeviceP0T0L0-3[0x8B039940]
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    user != kernel MBR !!!
    .
    ============= FINISH: 2:20:37.93 ===============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/4/2009 11:32:03 PM
    System Uptime: 5/28/2012 1:57:24 AM (1 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | EP45-UD3R
    Processor: Intel Pentium III Xeon processor | Socket 775 | 2999/333mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 932 GiB total, 354.491 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC
    Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_02\4&33BA0C0F&0&00E4
    Manufacturer: Realtek Semiconductor Corp.
    Name: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC
    PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_02\4&33BA0C0F&0&00E4
    Service: RTLE8023xp
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\241D7B0DB0
    Manufacturer: Microsoft
    Name: 1394 Net Adapter #2
    PNP Device ID: V1394\NIC1394\241D7B0DB0
    Service: NIC1394
    .
    ==== System Restore Points ===================
    .
    RP746: 2/28/2012 6:14:02 PM - System Checkpoint
    RP747: 2/29/2012 6:16:06 PM - Software Distribution Service 3.0
    RP748: 3/1/2012 6:39:09 PM - Software Distribution Service 3.0
    RP749: 3/2/2012 10:34:03 PM - Software Distribution Service 3.0
    RP750: 3/3/2012 11:29:47 PM - System Checkpoint
    RP751: 3/4/2012 1:59:30 AM - Software Distribution Service 3.0
    RP752: 3/5/2012 1:57:32 PM - Software Distribution Service 3.0
    RP753: 3/6/2012 2:16:15 PM - Software Distribution Service 3.0
    RP754: 3/7/2012 2:17:36 PM - System Checkpoint
    RP755: 3/8/2012 7:04:21 PM - Software Distribution Service 3.0
    RP756: 3/9/2012 7:07:54 PM - System Checkpoint
    RP757: 3/9/2012 10:38:05 PM - Software Distribution Service 3.0
    RP758: 3/10/2012 8:38:05 AM - Installed DirectX
    RP759: 3/11/2012 11:30:06 AM - Software Distribution Service 3.0
    RP760: 3/12/2012 8:08:30 PM - Software Distribution Service 3.0
    RP761: 3/14/2012 8:13:00 PM - Software Distribution Service 3.0
    RP762: 3/14/2012 11:15:33 PM - Software Distribution Service 3.0
    RP763: 3/16/2012 3:04:08 PM - Software Distribution Service 3.0
    RP764: 3/16/2012 3:17:39 PM - Software Distribution Service 3.0
    RP765: 3/17/2012 3:52:59 PM - System Checkpoint
    RP766: 3/18/2012 9:50:06 AM - Software Distribution Service 3.0
    RP767: 3/19/2012 6:13:19 PM - Software Distribution Service 3.0
    RP768: 3/20/2012 7:19:29 PM - Software Distribution Service 3.0
    RP769: 3/21/2012 9:26:33 PM - Software Distribution Service 3.0
    RP770: 3/23/2012 11:19:09 AM - Software Distribution Service 3.0
    RP771: 3/24/2012 2:55:57 PM - Software Distribution Service 3.0
    RP772: 3/25/2012 4:21:13 PM - System Checkpoint
    RP773: 3/25/2012 4:59:17 PM - Software Distribution Service 3.0
    RP774: 3/26/2012 8:51:56 PM - Software Distribution Service 3.0
    RP775: 3/28/2012 9:27:43 AM - Software Distribution Service 3.0
    RP776: 3/29/2012 9:39:44 PM - Software Distribution Service 3.0
    RP777: 3/30/2012 11:08:36 PM - System Checkpoint
    RP778: 3/31/2012 9:41:22 AM - Software Distribution Service 3.0
    RP779: 4/1/2012 9:45:09 AM - System Checkpoint
    RP780: 4/2/2012 8:11:52 PM - Software Distribution Service 3.0
    RP781: 4/4/2012 8:28:52 PM - Software Distribution Service 3.0
    RP782: 4/6/2012 5:55:54 PM - Software Distribution Service 3.0
    RP783: 4/7/2012 6:53:28 PM - Software Distribution Service 3.0
    RP784: 4/9/2012 8:33:36 PM - Software Distribution Service 3.0
    RP785: 4/11/2012 12:46:39 PM - Software Distribution Service 3.0
    RP786: 4/12/2012 12:48:37 PM - System Checkpoint
    RP787: 4/13/2012 10:54:10 AM - Software Distribution Service 3.0
    RP788: 4/13/2012 11:24:51 AM - Software Distribution Service 3.0
    RP789: 4/15/2012 10:44:30 AM - Software Distribution Service 3.0
    RP790: 4/16/2012 8:36:22 PM - Software Distribution Service 3.0
    RP791: 4/17/2012 9:08:07 PM - Software Distribution Service 3.0
    RP792: 4/19/2012 8:27:09 PM - Software Distribution Service 3.0
    RP793: 4/21/2012 5:43:35 PM - Software Distribution Service 3.0
    RP794: 4/22/2012 6:14:05 PM - System Checkpoint
    RP795: 4/26/2012 9:24:42 PM - Software Distribution Service 3.0
    RP796: 4/28/2012 3:58:03 PM - Software Distribution Service 3.0
    RP797: 5/2/2012 8:57:16 PM - Software Distribution Service 3.0
    RP798: 5/4/2012 2:18:23 PM - Software Distribution Service 3.0
    RP799: 5/5/2012 7:05:59 PM - Software Distribution Service 3.0
    RP800: 5/6/2012 8:01:45 PM - System Checkpoint
    RP801: 5/10/2012 9:46:52 PM - Software Distribution Service 3.0
    RP802: 5/13/2012 7:14:55 PM - System Checkpoint
    RP803: 5/14/2012 12:04:38 PM - Software Distribution Service 3.0
    RP804: 5/14/2012 6:24:07 PM - Software Distribution Service 3.0
    RP805: 5/15/2012 6:35:17 PM - Software Distribution Service 3.0
    RP806: 5/15/2012 6:58:24 PM - Software Distribution Service 3.0
    RP807: 5/16/2012 8:10:55 PM - Software Distribution Service 3.0
    RP808: 5/17/2012 8:40:46 PM - Software Distribution Service 3.0
    RP809: 5/18/2012 9:03:37 PM - System Checkpoint
    RP810: 5/19/2012 10:20:00 AM - Software Distribution Service 3.0
    RP811: 5/20/2012 10:20:57 PM - Software Distribution Service 3.0
    RP812: 5/21/2012 9:14:50 PM - Software Distribution Service 3.0
    RP813: 5/21/2012 11:06:12 PM - Software Distribution Service 3.0
    RP814: 5/22/2012 5:39:47 PM - Software Distribution Service 3.0
    RP815: 5/23/2012 2:18:15 AM - Software Distribution Service 3.0
    RP816: 5/23/2012 5:36:40 PM - Software Distribution Service 3.0
    RP817: 5/24/2012 6:07:33 PM - Software Distribution Service 3.0
    RP818: 5/25/2012 9:22:25 PM - Software Distribution Service 3.0
    RP819: 5/26/2012 9:27:44 PM - System Checkpoint
    RP820: 5/27/2012 8:12:48 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Acala DVD Ripper Professional 6.1.8
    Acrobat.com
    Activision(R)
    Adobe AIR
    Adobe Community Help
    Adobe Creative Suite 5 Master Collection
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Media Player
    Adobe Reader 9.4.4
    Akamai NetSession Interface
    Akamai NetSession Interface Service
    Any Video Converter 3.3.4
    AoA DVD Ripper
    APB Reloaded
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Audacity 1.2.6
    AVG Free 9.0
    Battlefield Heroes
    Blur(TM)
    Bonjour
    Borderlands
    Browser Configuration Utility
    calibre
    Citrix Presentation Server Client
    Counter-Strike: Source
    Curse Client
    DAEMON Tools Lite
    Dawn of War - Dark Crusade
    DC Universe Online Live
    Defcon Demo
    Diablo III
    DivX Setup
    DMIView B8.0717.01
    doPDF 7.0 printer
    Dual-Core Optimizer
    Duke Nukem Forever Demo
    DVD Shrink 3.2
    Easy Tune 6 B09.0326.1
    EdenEternal
    Energy Saver Advance B9.0316.1
    EVGA Precision 1.8.0
    Fantasy Earth Zero
    Far Cry 2
    FlatOut Ultimate Carnage
    Fraps (remove only)
    Free Audio CD Burner version 1.2
    Free YouTube to MP3 Converter version 3.3
    Get the Picture!
    Gigabyte Raid Configurer
    Google Chrome
    Google SketchUp 8
    Handbrake 0.9.4
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    hp instant support
    HP Photo and Imaging 2.0 - All-in-One
    HP Photo and Imaging 2.0 - All-in-One Drivers
    HP Photo and Imaging 2.0 - hp psc 1100 series
    hp psc 1100 series
    IGG Web3D Player version 1.0.0.37
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 29
    League of Legends
    Logitech GamePanel Software 3.03.133
    Magic: The Gathering — Duels of the Planeswalkers 2012 - Demo
    Malwarebytes Anti-Malware version 1.61.0.1400
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Mini Ninjas 1.0
    Mozilla Firefox 5.0.1 (x86 en-US)
    Nero Suite
    NVIDIA Control Panel 296.10
    NVIDIA Graphics Driver 296.10
    NVIDIA Install Application
    NVIDIA nView 136.18
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.12.0213
    NVIDIA Update 1.7.11
    NVIDIA Update Components
    OpenAL
    Orcs Must Die! Demo
    Pando Media Booster
    PDF Settings CS5
    Pepakura Viewer 3
    Plants vs. Zombies(TM)
    Portal
    Portal 2
    PowerDVD
    PunkBuster Services
    QuickTime
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    RIFT
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sonic Audio Module
    Sonic CinePlayer
    Sonic Copy Module
    Sonic Data Module
    Sonic MyDVD Studio Deluxe
    Sonic RecordNow! Deluxe
    Sonic Update Manager
    SpeechRedist
    Spelling Dictionaries Support For Adobe Reader 9
    SPORE™
    Star Wars: The Old Republic
    StarCraft
    Steam
    STOIK Video Converter 3
    System Requirements Lab
    System Requirements Lab CYRI
    Tablet
    Team Fortress 2
    Tornado Jockey
    Uninstall 1.0.0.1
    Unity Web Player
    Unreal Tournament 2004
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.6195
    Ventrilo Client
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows XP Service Pack 3
    World of Logs Client
    World of Warcraft
    Wow Web Stats Client v3.0
    XML Paper Specification Shared Components Pack 1.0
    Xvid 1.2.2 final uninstall
    YouTube Downloader 3.5
    YouTube Downloader Toolbar v5.8
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/26/2012 4:22:15 PM, error: nv [108] - The driver nv4_disp for the display device \Device\Video0 got stuck in an infinite loop. This usually indicates a problem with the device itself or with the device driver programming the hardware incorrectly. Please check with your hardware device vendor for any driver updates.
    5/25/2012 10:02:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86
    5/24/2012 5:56:51 PM, error: Dhcp [1002] - The IP address lease 192.168.1.42 for the Network Card with network address 00241DC033FA has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
    5/23/2012 8:46:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    5/23/2012 8:39:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Cinemsup Fips intelppm MpFilter
    5/23/2012 8:12:03 PM, error: Dhcp [1002] - The IP address lease 10.0.0.3 for the Network Card with network address 00241DC033FA has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    5/21/2012 7:06:28 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 10.0.0.3 with the system having network hardware address 4C:B1:99:2C:92:87. Network operations on this system may be disrupted as a result.
    5/21/2012 6:36:13 PM, error: System Error [1003] - Error code 000000ea, parameter1 89e19da0, parameter2 8afbff60, parameter3 8ab75150, parameter4 00000001.
    5/21/2012 6:33:56 PM, error: Dhcp [1002] - The IP address lease 10.0.0.2 for the Network Card with network address 00241DC033FA has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    5/21/2012 6:06:48 PM, error: JRAID [9] - The device, \Device\Scsi\JRAID1, did not respond within the timeout period.
    5/21/2012 6:05:39 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good morning and welcome to TechSpot! I'll help with the malware.

    It appears that AVG is still installed. I'd like you to run Combofix- but it won't run with AVG. Since to mean to remove it anyway, this should help:

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.
    =============================
    After the uninstall has completed,

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------

    • Download Combofix from HERE or HERE and save to the desktop
      • Double click combofix.exe [​IMG]& follow the prompts.
      • If prompted for Recovery Console, please allow.
      • Once installed, you should see a blue screen prompt that says:
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • Close any open browsers.
    • Before you run the Combofix scan, please disable any security software you have running.
      (If you need help with this, please see HERE)
    • Click on Yes, to continue scanning for malware
    • If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
    ==============================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  3. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    Hi Bobbye.

    Thanks for your help. As requested, I have removed the remnants of AVG (or at least it looks that way), ran ComboFix and EsetOnlineScan. Just to let you know after my initial post (but before you replied) I did run my MSE again and it detected and removed sirefef.AB. (I just wanted you to know of any actions I have taken so far.)

    Also, I'm not sure if it is related but seems that when I go to google.com, Chrome alerts me that the page has insecure content and if I choose to load anyways I a small red X shows up on the padlock and a red line crosses through the "https:" in the address bar. Again, not sure if it is related or will be fixed in the course of your assistance but I wanted to let you know.

    Here are the logs from today's requested scans:

    From ComboFix:

    ComboFix 12-05-28.01 - Buddy Lee 05/28/2012 9:57.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2620 [GMT -4:00]
    Running from: c:\documents and settings\Buddy Lee\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Buddy Lee\GoToAssistDownloadHelper.exe
    c:\documents and settings\Buddy Lee\Local Settings\Application Data\._Revolution_
    C:\install.exe
    c:\windows\system32\dllcache\dlimport.exe
    c:\windows\system32\dllcache\wmpvis.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-28 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-28 13:56 . 2012-05-08 16:406737808------w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{06B27F91-B126-4A0D-ACCE-110EA6A154B0}\mpengine.dll
    2012-05-28 06:20 . 2012-05-08 16:406737808------w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-05-27 14:44 . 2012-05-27 14:44--------d-----w-c:\documents and settings\Buddy Lee\Local Settings\Application Data\{61292E35-A7F7-11E1-8270-B8AC6F996F26}
    2012-05-27 12:27 . 2012-05-27 12:27--------d-----w-c:\documents and settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}
    2012-05-26 01:12 . 2012-05-26 01:12--------d-----w-c:\documents and settings\Buddy Lee\Application Data\Search Settings
    2012-05-26 01:12 . 2012-05-26 01:12--------d-----w-c:\program files\Application Updater
    2012-05-26 01:12 . 2012-05-26 01:12--------d-----w-c:\program files\YouTube Downloader Toolbar
    2012-05-26 01:12 . 2012-05-26 01:12--------d-----w-c:\program files\Common Files\Spigot
    2012-05-18 20:57 . 2012-05-18 20:57--------d-----w-c:\documents and settings\UpdatusUser
    2012-05-18 20:55 . 2012-02-29 23:58881984----a-w-c:\windows\system32\nvgenco32.dll
    2012-05-18 20:55 . 2012-02-29 23:581000256----a-w-c:\windows\system32\nvdispco32.dll
    2012-05-18 16:06 . 2012-05-18 16:06--------d-----w-c:\documents and settings\Buddy Lee\Application Data\DDMSettings
    2012-05-16 03:48 . 2012-05-16 10:20--------d-----w-c:\program files\Diablo III
    2012-05-16 03:45 . 2012-05-16 03:45--------d-----w-c:\documents and settings\All Users\Application Data\Battle.net
    2012-05-11 03:48 . 2012-05-11 03:49--------d-----w-c:\documents and settings\Administrator
    2012-05-11 02:17 . 2012-05-11 02:17--------d-----w-c:\documents and settings\Buddy Lee\Local Settings\Application Data\Citrix
    2012-05-04 20:39 . 2012-05-04 20:39419488----a-w-c:\windows\system32\FlashPlayerApp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-28 13:45 . 2009-12-06 22:0624944----a-w-c:\windows\system32\drivers\GVTDrv.sys
    2012-05-28 13:44 . 2009-12-06 22:0617488----a-w-c:\windows\gdrv.sys
    2012-05-04 20:39 . 2011-06-07 13:1570304----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-11 13:14 . 2002-08-28 23:042148352----a-w-c:\windows\system32\ntoskrnl.exe
    2012-04-11 13:12 . 2002-08-29 00:141862272----a-w-c:\windows\system32\win32k.sys
    2012-04-11 12:35 . 2002-08-29 01:042026496----a-w-c:\windows\system32\ntkrnlpa.exe
    2012-04-04 19:56 . 2011-03-24 00:3522344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-03-21 00:44 . 2010-10-25 01:25171064----a-w-c:\windows\system32\drivers\MpFilter.sys
    2012-03-03 04:53 . 2009-12-06 22:0617488----a-w-c:\windows\etdrv.sys
    2012-03-01 11:01 . 2002-08-29 01:411469440------w-c:\windows\system32\inetcpl.cpl
    2012-03-01 11:01 . 2002-08-29 01:41916992----a-w-c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2002-08-29 01:4143520----a-w-c:\windows\system32\licmgr10.dll
    2012-02-29 23:58 . 2010-01-30 19:4465536----a-w-c:\windows\system32\OpenCL.dll
    2012-02-29 23:58 . 2010-01-30 19:4417534976----a-w-c:\windows\system32\nvcompiler.dll
    2012-02-29 23:58 . 2009-08-16 16:575918720----a-w-c:\windows\system32\nvcuda.dll
    2012-02-29 23:58 . 2009-08-16 16:572522944----a-w-c:\windows\system32\nvcuvid.dll
    2012-02-29 23:58 . 2009-08-16 16:572437440----a-w-c:\windows\system32\nvcuvenc.dll
    2012-02-29 23:58 . 2009-08-16 16:572291712----a-w-c:\windows\system32\nvapi.dll
    2012-02-29 23:58 . 2009-08-16 16:5718624512----a-w-c:\windows\system32\nvoglnt.dll
    2012-02-29 23:58 . 2004-08-04 07:564309760----a-w-c:\windows\system32\nv4_disp.dll
    2012-02-29 23:58 . 2004-08-04 05:2913417632----a-w-c:\windows\system32\drivers\nv4_mini.sys
    2012-02-29 20:30 . 2011-01-07 23:5654272----a-w-c:\windows\system32\nvwddi.dll
    2012-02-29 20:30 . 2011-01-07 23:5615494464----a-w-c:\windows\system32\nvcpl.dll
    2012-02-29 20:30 . 2011-01-07 23:56143680----a-w-c:\windows\system32\nvcolor.exe
    2012-02-29 20:30 . 2011-01-07 23:56164160----a-w-c:\windows\system32\nvsvc32.exe
    2012-02-29 20:30 . 2011-01-07 23:56108352----a-w-c:\windows\system32\nvmctray.dll
    2012-02-29 14:10 . 2002-08-29 01:40148480----a-w-c:\windows\system32\imagehlp.dll
    2012-02-29 14:10 . 2001-08-23 12:00177664----a-w-c:\windows\system32\wintrust.dll
    2012-02-29 12:17 . 2004-08-04 05:59385024----a-w-c:\windows\system32\html.iec
    2011-07-08 07:16 . 2011-07-24 05:42142296----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Akamai NetSession Interface"="c:\documents and settings\Buddy Lee\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-05-08 3331872]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
    "Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-08-13 357384]
    "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-08-13 1573384]
    "Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-08-13 3161608]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "RTHDCPL"="RTHDCPL.EXE" [2010-04-30 19523616]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-29 15494464]
    "NvMediaCenter"="NvMCTray.dll" [2012-02-29 108352]
    "nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-02-29 1634112]
    "SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2012-05-25 992648]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
    2007-03-20 22:3636864------r-c:\windows\RaidTool\xInsIDE.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "avg9wd"=2 (0x2)
    "avg9emc"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\defcon\\defcon.exe"=
    "c:\\Program Files\\Games\\Counter-Strike Source\\hl2.exe"=
    "c:\\Program Files\\Games\\Flatout2-DVD\\FlatOut2.exe"=
    "c:\\UT2004\\System\\UT2004.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Documents and Settings\\Buddy Lee\\Desktop\\WoW Test\\World of Warcraft\\Repair.exe"=
    "c:\\Documents and Settings\\Buddy Lee\\Desktop\\WoW Test\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Documents and Settings\\Buddy Lee\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Documents and Settings\\Buddy Lee\\Desktop\\WoW Test\\World of Warcraft\\BackgroundDownloader.exe"=
    "c:\\Program Files\\Activision\\Blur(TM)\\Blur.exe"=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
    "c:\\Program Files\\Portal 2\\portal2.exe"=
    "c:\\AeriaGames\\EdenEternal\\_Launcher.exe"=
    "c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\duke nukem forever demo\\System\\DukeForeverDemo.exe"=
    "c:\\Documents and Settings\\Buddy Lee\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
    "c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
    "c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\launcher.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\orcs must die!\\build\\release\\OrcsMustDie.exe"=
    "c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\betatest\\retailclient\\swtor.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\borderlands\\Binaries\\Borderlands.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\magic 2012 demo\\Magic_2012.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Documents and Settings\\Buddy Lee\\Local Settings\\Apps\\2.0\\V5MX5KZZ.1XK\\ZEL7LV1A.0XR\\curs..tion_eee711038731a406_0004.0000_2bd39706d04e72c8\\CurseClient.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.524\\Agent.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.954\\Agent.exe"=
    "c:\\Program Files\\Diablo III\\Diablo III.exe"=
    "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.976\\Agent.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6112:TCP"= 6112:TCP:Blizzard Downloader
    "57608:TCP"= 57608:TCP:*:Disabled:pando Media Booster
    "57608:UDP"= 57608:UDP:*:Disabled:pando Media Booster
    "58162:TCP"= 58162:TCP:*:Disabled:pando Media Booster
    "58162:UDP"= 58162:UDP:*:Disabled:pando Media Booster
    "8378:TCP"= 8378:TCP:League of Legends Launcher
    "8378:UDP"= 8378:UDP:League of Legends Launcher
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
    "8379:TCP"= 8379:TCP:League of Legends Launcher
    "8379:UDP"= 8379:UDP:League of Legends Launcher
    "8380:TCP"= 8380:TCP:League of Legends Launcher
    "8380:UDP"= 8380:UDP:League of Legends Launcher
    "8381:TCP"= 8381:TCP:League of Legends Launcher
    "8381:UDP"= 8381:UDP:League of Legends Launcher
    "8382:TCP"= 8382:TCP:League of Legends Launcher
    "8382:UDP"= 8382:UDP:League of Legends Launcher
    "8383:TCP"= 8383:TCP:League of Legends Launcher
    "8383:UDP"= 8383:UDP:League of Legends Launcher
    "8393:TCP"= 8393:TCP:League of Legends Lobby
    "8393:UDP"= 8393:UDP:League of Legends Lobby
    "8390:TCP"= 8390:TCP:League of Legends Game Client
    "8390:UDP"= 8390:UDP:League of Legends Game Client
    "6885:TCP"= 6885:TCP:League of Legends Launcher
    "6885:UDP"= 6885:UDP:League of Legends Launcher
    "1050:TCP"= 1050:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface
    .
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [4/30/2011 10:27 AM 218688]
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/23/2001 8:00 AM 14336]
    R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [5/25/2012 3:12 PM 785344]
    R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [12/5/2009 5:20 PM 68136]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [5/18/2012 4:57 PM 2348352]
    R3 AODDriver;AODDriver;c:\program files\GIGABYTE\ET6\i386\AODDriver.sys [2/23/2009 1:16 AM 7168]
    R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [7/14/2009 4:35 PM 19720]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/5/2009 5:23 PM 1691480]
    S3 etdrv;etdrv;c:\windows\etdrv.sys [12/6/2009 6:06 PM 17488]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
    SUnknown GVTDrv;GVTDrv; [x]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    AkamaiREG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-28 c:\windows\Tasks\AdobeAAMUpdater-1.0-APEVIA-Buddy Lee.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-27 08:44]
    .
    2012-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
    .
    2010-03-27 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1100 series272A572217594EBCF1CEE215E352B92AD073FDE4260471350.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
    .
    2012-05-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1364589140-839522115-1003Core.job
    - c:\documents and settings\Buddy Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-06 08:09]
    .
    2012-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1364589140-839522115-1003UA.job
    - c:\documents and settings\Buddy Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-06 08:09]
    .
    2012-05-28 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
    - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = 127.0.0.1;127.0.0.1:9421;*.local;<local>
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 10.0.0.1
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Buddy Lee\Application Data\Mozilla\Firefox\Profiles\xmqrti8r.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    HKCU-Run-Sonic RecordNow! Deluxe - (no file)
    MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
    AddRemove-FlatOut Ultimate Carnage - d:\games\FlatOut Ultimate Carnage\Uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-28 10:02
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
    "ServiceDll"="c:\program files\common files\akamai/netsession_win_6c825ce.dll"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-746137067-1364589140-839522115-1003\Software\SecuROM\License information*]
    "datasecu"=hex:fc,95,3b,54,93,42,d1,d6,a6,d4,2b,fe,61,86,4f,74,e3,2a,b8,29,bb,
    e0,cc,45,2f,84,2b,f4,d0,b6,fd,1d,77,61,77,7c,f6,08,6e,be,f3,0c,04,3e,d6,c5,\
    "rkeysecu"=hex:f6,73,5d,ec,09,43,10,ab,85,ec,04,41,ad,f0,c5,d7
    .
    Completion time: 2012-05-28 10:03:53
    ComboFix-quarantined-files.txt 2012-05-28 14:03
    .
    Pre-Run: 381,798,092,800 bytes free
    Post-Run: 382,124,736,512 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer
    .
    - - End Of File - - 7ACA86425B289558FD1F069F47DE1AA1
    From the EsetOnlineScan:
    C:\Documents and Settings\All Users\Application Data\YouTube Downloader\ytd_installer.exeWin32/Toolbar.Widgi application
    C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\nWin32/Sirefef.EV trojan
    C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xulJS/Redirector.NIQ trojan
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exea variant of Win32/InstallCore.D application
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exea variant of Win32/InstallCore.D application
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exea variant of Win32/InstallCore.D application
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exea variant of Win32/InstallCore.D application
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exea variant of Win32/InstallCore.D application
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exea variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372442.rbfa variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372443.rbfa variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372458.rbfprobably a variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP798\A0383308.msia variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412141.exea variant of Win32/InstallCore.T application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412142.exea variant of Win32/InstallIQ application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412143.exea variant of Win32/InstallIQ application
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Here are instructions to remove SearchSettings:
    1. Click on Start> Control Panel> Add/Remove Programs" or "Uninstall a Program."
    2. Look for Search Settings in the list that follows. If it appears (it usually doesn't), select and delete it.
    3. Click on Start> All Programs> Accessories> System Tools> Windows Explorers.
    4. Once in Windows Explorer> click on Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'Hide system files Recommended> Click on Apply and click yes to Confirm.
    5. Again click on the Tools> Manage Add-ons> Find Search Settings among the list and select Disable (or Remove if possible). Note: Look in both 'addons currently on system' and addons previously on system'
    6. Open Firefox if you have it installed> Tools> Add-ons> Look for Search for Search Settings. If it's there, click the Uninstall button.
    7. Download the free Windows Installer CleanUp Utility . Install, then open the utility. Look for Search Settings among the programs listed, select it, and then press the "Remove" button.
    ===================================================
    Please download OTMovit by Old Timerand save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files
      C:\Documents and Settings\All Users\Application Data\YouTube Downloader\ytd_installer.exe
      C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\nWin32/Sirefef.EV trojan
      C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul
      C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exe
      C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exe
      C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exe
      C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exe
      C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exe
      C:\Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exe
          
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    --------------------------------------
    Note 1: When you have a download screen in front of you, carefully look for any pre-checked boxes. If there are any, click to uncheck the box.
    Note 2: When you install a program, if given a choice, choose Custom Install instead of Standard.
    ================================================
    When we have finished cleaning, I will have you set a new, clean restore point, then remove all of the old restore points.
    =================================================

    Remove Zero.Access (Sirefef)
    ESET has provided a stand-alone malware removal tool to remove this particularly resilient threat. Follow the steps below.
    1. . Download, save and run the Win32/Sirefef' stand-alone malware removal tool and follow the prompts as directed.
    2. If this tool is unsuccessful in cleaning, try restarting into Safe Mode with Networking and running it again.
    3. When finished, update and rescan with the Eset online scanner.
    Leave any new log that is generated.
     
  5. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    Hello.

    I ran into hiccups with the following:

    Search settings: I was unable to find any instances of search settings with the Add/Remove Programs, Manage Add-Ons in Internet Explorer or Firefox and it was also not listed in Chrome anywhere. Also it was not listed in the Windows Installer Cleanup Utility.

    OTMovit: When I ran the program I got an error message stating "Invalid time flag! [ Sirefef.EV trajan ] Must be numerical." At this point I clicked ok and then Move It again. I did get a log which I post below. (I hope that I ran this one right.)

    Remove Zero.Access (Sirefef): I ran this both in normal mode and in safe mode with networking and got error message stating "Win32/Sirefef has NOT been found on your system".

    I am currently running the Eset online scanner but seeing that the scan will take quite some time (I think it took 3 hours last time) I wanted to at least update you with this information. Once that scan is done I will post any logs in my next reply.

    Here is the OTMovit log:

    All processes killed
    Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\nWin32/Sirefef.EV trojan> in the current context!
    Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul> in the current context!
    Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exe> in the current context!
    Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exe> in the current context!
    Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exe> in the current context!
    Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exe> in the current context!
    Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exe> in the current context!
    Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exe> in the current context!
    Error: Unable to interpret < > in the current context!
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 57037 bytes

    User: All Users

    User: Buddy Lee
    ->Temp folder emptied: 2425009 bytes
    ->Temporary Internet Files folder emptied: 9911811 bytes
    ->Java cache emptied: 8478 bytes
    ->FireFox cache emptied: 26227486 bytes
    ->Google Chrome cache emptied: 366142719 bytes
    ->Flash cache emptied: 62665 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 56475 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 6848 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56475 bytes

    %systemdrive% .tmp files removed: 3138 bytes
    %systemroot% .tmp files removed: 1138887 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 21735 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33728 bytes
    RecycleBin emptied: 11010944 bytes

    Total Files Cleaned = 398.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 05282012_213124

    Files moved on Reboot...
    File C:\WINDOWS\temp\Perflib_Perfdata_504.dat not found!

    Registry entries deleted on Reboot...
     
  6. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    Here is the Eset Online log:

    C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\nWin32/Sirefef.EV trojan
    C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xulJS/Redirector.NIQ trojan
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exea variant of Win32/InstallCore.D application
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exea variant of Win32/InstallCore.D application
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exea variant of Win32/InstallCore.D application
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exea variant of Win32/InstallCore.D application
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exea variant of Win32/InstallCore.D application
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exea variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372442.rbfa variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372443.rbfa variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372458.rbfprobably a variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP798\A0383308.msia variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412141.exea variant of Win32/InstallCore.T application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412142.exea variant of Win32/InstallIQ application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412143.exea variant of Win32/InstallIQ application
    C:\_OTM\MovedFiles\05282012_213059\C_Documents and Settings\All Users\Application Data\YouTube Downloader\ytd_installer.exeWin32/Toolbar.Widgi application
     
  7. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    I do have one question regarding the OTMovit instructions of "Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):". I am assuming that you are referring to all of the lines in the code box below it (from :Files to [Reboot]), correct?

    Thanks again for all of your help, especially on the holiday. :)
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- that OTM problem was my mistake. I left the malware name in.

    But I have a question about the CNet downloads. Are you currently running those downloads? If you are, I will need to put them in Processes instead of Files.

    Any time you are instructed to copy the contents of the code box, you copy everything that is in the code box.

    Regarding the secure/not secure/red x/ image place holder:
    There are specific setting in browsers where you check specific entries according to how you want the browser to behave. For instance, in Internet Options for IE, Advanced tab> Security section> there is a line you can check 'warn me if changing between secure and insecure mode.' If that is checked, you would get a message like you qre describing from Chrome. If you decide to go ahead, that's your option- the browser did it's job.
    =====================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    c:\documents and settings\Buddy Lee\Application Data\Search Settings
    c:\program files\Application Updater
    c:\program files\YouTube Downloader Toolbar
    c:\program files\Common Files\Spigot
    c:\documents and settings\UpdatusUser
    DDS::
    uInternet Settings,ProxyOverride = 127.0.0.1;127.0.0.1:9421;*.local;<local>
    uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
    BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
    TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SearchSettings"=-
     
    Clearjavacache::
     
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    You need to be careful about pre-checked items on download screens. You also should choose Custom install for downloaded programs rather than Standard install. Example:
    YouTube Downloader Toolbar:>> Vendio YouTube Downloader Toolbar, bundled with certain YouTube Downloaders, installed in tandem with their Search Settings foistware

    I have used script to remove as much as I see for the toolbar and Search Settings. I will have you run a scan toward the end to make sure we got it all. Check Add/Remove Programs and remove the YouTube Downloaded Toolbar if there. Then use Windows Explorer to delete the program folder.
    ======================
    Please update the following:
    Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
    Adobe Reader > Current is vX(10.xx)> Adobe Reader Update
    Java(TM) > Current is no v7u4. Java Updates .
    Uninstall any earlier versions in of both as they are vulnerabilities for the system.
    ======================
    I have OTM set up again. Let me know if the processes are running so I can put them in the correct section.
     
  9. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    Ok, looks like I did not run into any hiccups this time. :)

    To answer your question about the CNET programs, I am not currently using them. So do with them what you will as I would not be upset if we ended up installing them if we need to. (I had use for them a while ago.)

    Thanks for the secured/not secured explanation. I thought it was strange because I was just going to www.google.com and didn't realize that it was a secure site. However, I then noticed that I was signed into google. I proceeded to sign out of google and the "unsecure content" warning stopped surfacing. (I was wondering if maybe it was part of the virus.)

    ComboFix ran and the log is at the end of the post.

    I used the Add/Remove programs to uninstall the toolbar but was unable to find the program folder. (Maybe the uninstall removed it?) Also, the latest versions of Java and Adobe Reader are now installed. With Java I found an earlier version of Java that I uninstalled but with Adobe Reader I did not find an earlier version installed. Also, when looking throught the Add/Remove programs I did find JavaFX 2.1.0. Do I need to remove that as well?

    ComboFix Log:

    ComboFix 12-05-28.01 - Buddy Lee 05/29/2012 20:04:20.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2726 [GMT -4:00]
    Running from: c:\documents and settings\Buddy Lee\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Buddy Lee\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Buddy Lee\Application Data\Search Settings
    c:\program files\Application Updater
    c:\program files\Application Updater\ApplicationUpdater.exe
    c:\program files\Application Updater\config.ini
    c:\program files\Common Files\Spigot
    c:\program files\Common Files\Spigot\Search Settings\baidu_ff.xml
    c:\program files\Common Files\Spigot\Search Settings\baidu_ie.xml
    c:\program files\Common Files\Spigot\Search Settings\config.ini
    c:\program files\Common Files\Spigot\Search Settings\Lang\res1031.ini
    c:\program files\Common Files\Spigot\Search Settings\Lang\res1033.ini
    c:\program files\Common Files\Spigot\Search Settings\Lang\res1034.ini
    c:\program files\Common Files\Spigot\Search Settings\Lang\res1036.ini
    c:\program files\Common Files\Spigot\Search Settings\Lang\res1040.ini
    c:\program files\common files\spigot\search settings\SearchSettings.exe
    c:\program files\Common Files\Spigot\Search Settings\wth.dll
    c:\program files\Common Files\Spigot\Search Settings\yahoo_ff.xml
    c:\program files\Common Files\Spigot\Search Settings\yahoo_ie.xml
    c:\program files\Common Files\Spigot\Search Settings\yandex_ff.xml
    c:\program files\Common Files\Spigot\Search Settings\yandex_ie.xml
    c:\program files\Common Files\Spigot\wtxpcom\chrome.manifest
    c:\program files\Common Files\Spigot\wtxpcom\components\chrome.manifest
    c:\program files\Common Files\Spigot\wtxpcom\components\IFBHOHelperWidgiToolbar.xpt
    c:\program files\Common Files\Spigot\wtxpcom\components\IFBHOWidgiToolbar.xpt
    c:\program files\Common Files\Spigot\wtxpcom\components\install.rdf
    c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll
    c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.10
    c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.11
    c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.12
    c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.13
    c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.14
    c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.5
    c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.6
    c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.7
    c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.8
    c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.9
    c:\program files\Common Files\Spigot\wtxpcom\install.rdf
    c:\program files\YouTube Downloader Toolbar
    c:\program files\YouTube Downloader Toolbar\FF\chrome.manifest
    c:\program files\YouTube Downloader Toolbar\FF\chrome\chrome.jar
    c:\program files\YouTube Downloader Toolbar\FF\install.rdf
    c:\program files\YouTube Downloader Toolbar\IE\5.8\config.ini
    c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
    c:\program files\YouTube Downloader Toolbar\Res\amazon.gif
    c:\program files\YouTube Downloader Toolbar\Res\dailymotion.gif
    c:\program files\YouTube Downloader Toolbar\Res\dropinsavings.gif
    c:\program files\YouTube Downloader Toolbar\Res\dropinsavingsabt.gif
    c:\program files\YouTube Downloader Toolbar\Res\ebay.gif
    c:\program files\YouTube Downloader Toolbar\Res\facebook.gif
    c:\program files\YouTube Downloader Toolbar\Res\googleplus.gif
    c:\program files\YouTube Downloader Toolbar\Res\hulu.gif
    c:\program files\YouTube Downloader Toolbar\Res\icon_settings.gif
    c:\program files\YouTube Downloader Toolbar\Res\Lang\res1031.ini
    c:\program files\YouTube Downloader Toolbar\Res\Lang\res1033.ini
    c:\program files\YouTube Downloader Toolbar\Res\Lang\res1034.ini
    c:\program files\YouTube Downloader Toolbar\Res\Lang\res1036.ini
    c:\program files\YouTube Downloader Toolbar\Res\Lang\res1040.ini
    c:\program files\YouTube Downloader Toolbar\Res\metacafe.gif
    c:\program files\YouTube Downloader Toolbar\Res\radio-close.gif
    c:\program files\YouTube Downloader Toolbar\Res\radio-minimize.gif
    c:\program files\YouTube Downloader Toolbar\Res\radiobeta.gif
    c:\program files\YouTube Downloader Toolbar\Res\search-button-hover.gif
    c:\program files\YouTube Downloader Toolbar\Res\search-button.gif
    c:\program files\YouTube Downloader Toolbar\Res\search-chevron-hover.gif
    c:\program files\YouTube Downloader Toolbar\Res\search-chevron.gif
    c:\program files\YouTube Downloader Toolbar\Res\search_amazon.gif
    c:\program files\YouTube Downloader Toolbar\Res\search_baidu.gif
    c:\program files\YouTube Downloader Toolbar\Res\search_ebay.gif
    c:\program files\YouTube Downloader Toolbar\Res\search_yahoo.gif
    c:\program files\YouTube Downloader Toolbar\Res\search_yandex.gif
    c:\program files\YouTube Downloader Toolbar\Res\search_youtube.gif
    c:\program files\YouTube Downloader Toolbar\Res\twitter.gif
    c:\program files\YouTube Downloader Toolbar\Res\veoh.gif
    c:\program files\YouTube Downloader Toolbar\Res\widgets.xml
    c:\program files\YouTube Downloader Toolbar\Res\youtube.gif
    c:\program files\YouTube Downloader Toolbar\Res\ytd.gif
    c:\program files\YouTube Downloader Toolbar\Res\ytd_logo.gif
    c:\program files\YouTube Downloader Toolbar\Res\ytd_logo_hover.gif
    c:\program files\YouTube Downloader Toolbar\WidgiHelper.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_Application_Updater
    -------\Legacy_Application_Updater
    -------\Service_Application Updater
    -------\Service_Application Updater
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-30 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-29 23:51 . 2012-05-08 16:406737808----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{14ACBC3D-9079-4E34-B395-85248A5F0E45}\mpengine.dll
    2012-05-29 01:30 . 2012-05-29 01:30--------d-----w-C:\_OTM
    2012-05-29 01:24 . 2012-05-29 01:243584----a-r-c:\documents and settings\Buddy Lee\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
    2012-05-29 01:24 . 2012-05-29 01:24--------d-----w-c:\program files\Windows Installer Clean Up
    2012-05-29 01:24 . 2012-05-29 01:24--------d-----w-c:\program files\MSECACHE
    2012-05-28 14:09 . 2012-05-28 14:09--------d-----w-c:\program files\ESET
    2012-05-28 14:07 . 2012-05-08 16:406737808----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-05-27 14:44 . 2012-05-27 14:44--------d-----w-c:\documents and settings\Buddy Lee\Local Settings\Application Data\{61292E35-A7F7-11E1-8270-B8AC6F996F26}
    2012-05-27 12:27 . 2012-05-27 12:27--------d-----w-c:\documents and settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}
    2012-05-18 20:57 . 2012-05-18 20:57--------d-----w-c:\documents and settings\UpdatusUser
    2012-05-18 20:55 . 2012-02-29 23:58881984----a-w-c:\windows\system32\nvgenco32.dll
    2012-05-18 20:55 . 2012-02-29 23:581000256----a-w-c:\windows\system32\nvdispco32.dll
    2012-05-18 16:06 . 2012-05-18 16:06--------d-----w-c:\documents and settings\Buddy Lee\Application Data\DDMSettings
    2012-05-16 03:48 . 2012-05-16 10:20--------d-----w-c:\program files\Diablo III
    2012-05-16 03:45 . 2012-05-16 03:45--------d-----w-c:\documents and settings\All Users\Application Data\Battle.net
    2012-05-11 03:48 . 2012-05-11 03:49--------d-----w-c:\documents and settings\Administrator
    2012-05-11 02:17 . 2012-05-11 02:17--------d-----w-c:\documents and settings\Buddy Lee\Local Settings\Application Data\Citrix
    2012-05-04 20:39 . 2012-05-04 20:39419488----a-w-c:\windows\system32\FlashPlayerApp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-30 00:17 . 2009-12-06 22:0624944----a-w-c:\windows\system32\drivers\GVTDrv.sys
    2012-05-30 00:17 . 2009-12-06 22:0617488----a-w-c:\windows\gdrv.sys
    2012-05-04 20:39 . 2011-06-07 13:1570304----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-11 13:14 . 2002-08-28 23:042148352----a-w-c:\windows\system32\ntoskrnl.exe
    2012-04-11 13:12 . 2002-08-29 00:141862272----a-w-c:\windows\system32\win32k.sys
    2012-04-11 12:35 . 2002-08-29 01:042026496----a-w-c:\windows\system32\ntkrnlpa.exe
    2012-04-04 19:56 . 2011-03-24 00:3522344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-03-21 00:44 . 2010-10-25 01:25171064----a-w-c:\windows\system32\drivers\MpFilter.sys
    2012-03-03 04:53 . 2009-12-06 22:0617488----a-w-c:\windows\etdrv.sys
    2012-03-01 11:01 . 2002-08-29 01:411469440------w-c:\windows\system32\inetcpl.cpl
    2012-03-01 11:01 . 2002-08-29 01:41916992----a-w-c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2002-08-29 01:4143520----a-w-c:\windows\system32\licmgr10.dll
    2011-07-08 07:16 . 2011-07-24 05:42142296----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-05-28_14.02.24 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-05-30 00:16 . 2012-05-30 00:1616384 c:\windows\Temp\Perflib_Perfdata_618.dat
    + 2012-05-30 00:17 . 2012-05-30 00:1716384 c:\windows\Temp\Perflib_Perfdata_5ec.dat
    + 2012-05-30 00:16 . 2012-05-30 00:1616384 c:\windows\Temp\Perflib_Perfdata_590.dat
    + 2001-08-23 12:00 . 2012-05-29 23:4581358 c:\windows\system32\perfc009.dat
    - 2001-08-23 12:00 . 2012-05-28 13:4981358 c:\windows\system32\perfc009.dat
    + 2001-08-23 12:00 . 2012-05-29 23:45466778 c:\windows\system32\perfh009.dat
    - 2001-08-23 12:00 . 2012-05-28 13:49466778 c:\windows\system32\perfh009.dat
    + 2012-05-29 01:24 . 2012-05-29 01:24472064 c:\windows\Installer\2e884d.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Akamai NetSession Interface"="c:\documents and settings\Buddy Lee\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-05-08 3331872]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
    "Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-08-13 357384]
    "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-08-13 1573384]
    "Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-08-13 3161608]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "RTHDCPL"="RTHDCPL.EXE" [2010-04-30 19523616]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-29 15494464]
    "NvMediaCenter"="NvMCTray.dll" [2012-02-29 108352]
    "nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-02-29 1634112]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
    2007-03-20 22:3636864------r-c:\windows\RaidTool\xInsIDE.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "avg9wd"=2 (0x2)
    "avg9emc"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\defcon\\defcon.exe"=
    "c:\\Program Files\\Games\\Counter-Strike Source\\hl2.exe"=
    "c:\\Program Files\\Games\\Flatout2-DVD\\FlatOut2.exe"=
    "c:\\UT2004\\System\\UT2004.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Documents and Settings\\Buddy Lee\\Desktop\\WoW Test\\World of Warcraft\\Repair.exe"=
    "c:\\Documents and Settings\\Buddy Lee\\Desktop\\WoW Test\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Documents and Settings\\Buddy Lee\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Documents and Settings\\Buddy Lee\\Desktop\\WoW Test\\World of Warcraft\\BackgroundDownloader.exe"=
    "c:\\Program Files\\Activision\\Blur(TM)\\Blur.exe"=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
    "c:\\Program Files\\Portal 2\\portal2.exe"=
    "c:\\AeriaGames\\EdenEternal\\_Launcher.exe"=
    "c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\duke nukem forever demo\\System\\DukeForeverDemo.exe"=
    "c:\\Documents and Settings\\Buddy Lee\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
    "c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
    "c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\launcher.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\orcs must die!\\build\\release\\OrcsMustDie.exe"=
    "c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\betatest\\retailclient\\swtor.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\borderlands\\Binaries\\Borderlands.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\magic 2012 demo\\Magic_2012.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Documents and Settings\\Buddy Lee\\Local Settings\\Apps\\2.0\\V5MX5KZZ.1XK\\ZEL7LV1A.0XR\\curs..tion_eee711038731a406_0004.0000_2bd39706d04e72c8\\CurseClient.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.524\\Agent.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.954\\Agent.exe"=
    "c:\\Program Files\\Diablo III\\Diablo III.exe"=
    "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.976\\Agent.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6112:TCP"= 6112:TCP:Blizzard Downloader
    "57608:TCP"= 57608:TCP:*:Disabled:pando Media Booster
    "57608:UDP"= 57608:UDP:*:Disabled:pando Media Booster
    "58162:TCP"= 58162:TCP:*:Disabled:pando Media Booster
    "58162:UDP"= 58162:UDP:*:Disabled:pando Media Booster
    "8378:TCP"= 8378:TCP:League of Legends Launcher
    "8378:UDP"= 8378:UDP:League of Legends Launcher
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
    "8379:TCP"= 8379:TCP:League of Legends Launcher
    "8379:UDP"= 8379:UDP:League of Legends Launcher
    "8380:TCP"= 8380:TCP:League of Legends Launcher
    "8380:UDP"= 8380:UDP:League of Legends Launcher
    "8381:TCP"= 8381:TCP:League of Legends Launcher
    "8381:UDP"= 8381:UDP:League of Legends Launcher
    "8382:TCP"= 8382:TCP:League of Legends Launcher
    "8382:UDP"= 8382:UDP:League of Legends Launcher
    "8383:TCP"= 8383:TCP:League of Legends Launcher
    "8383:UDP"= 8383:UDP:League of Legends Launcher
    "8393:TCP"= 8393:TCP:League of Legends Lobby
    "8393:UDP"= 8393:UDP:League of Legends Lobby
    "8390:TCP"= 8390:TCP:League of Legends Game Client
    "8390:UDP"= 8390:UDP:League of Legends Game Client
    "6885:TCP"= 6885:TCP:League of Legends Launcher
    "6885:UDP"= 6885:UDP:League of Legends Launcher
    .
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [4/30/2011 10:27 AM 218688]
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/23/2001 8:00 AM 14336]
    R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [12/5/2009 5:20 PM 68136]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [5/18/2012 4:57 PM 2348352]
    R3 AODDriver;AODDriver;c:\program files\GIGABYTE\ET6\i386\AODDriver.sys [2/23/2009 1:16 AM 7168]
    R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [12/6/2009 6:06 PM 24944]
    R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [7/14/2009 4:35 PM 19720]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/5/2009 5:23 PM 1691480]
    S3 etdrv;etdrv;c:\windows\etdrv.sys [12/6/2009 6:06 PM 17488]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    AkamaiREG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-29 c:\windows\Tasks\AdobeAAMUpdater-1.0-APEVIA-Buddy Lee.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-27 08:44]
    .
    2012-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
    .
    2010-03-27 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1100 series272A572217594EBCF1CEE215E352B92AD073FDE4260471350.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
    .
    2012-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1364589140-839522115-1003Core.job
    - c:\documents and settings\Buddy Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-06 08:09]
    .
    2012-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1364589140-839522115-1003UA.job
    - c:\documents and settings\Buddy Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-06 08:09]
    .
    2012-05-29 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
    - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = <local>
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Buddy Lee\Application Data\Mozilla\Firefox\Profiles\xmqrti8r.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
    FF - prefs.js: network.proxy.type - 0
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-29 20:17
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
    "ServiceDll"="c:\program files\common files\akamai/netsession_win_80c2ffa.dll"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-746137067-1364589140-839522115-1003\Software\SecuROM\License information*]
    "datasecu"=hex:fc,95,3b,54,93,42,d1,d6,a6,d4,2b,fe,61,86,4f,74,e3,2a,b8,29,bb,
    e0,cc,45,2f,84,2b,f4,d0,b6,fd,1d,77,61,77,7c,f6,08,6e,be,f3,0c,04,3e,d6,c5,\
    "rkeysecu"=hex:f6,73,5d,ec,09,43,10,ab,85,ec,04,41,ad,f0,c5,d7
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2872)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\PnkBstrA.exe
    c:\windows\system32\PnkBstrB.exe
    c:\windows\system32\Tablet.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\GIGABYTE\ET6\GUI.exe
    c:\windows\system32\RunDLL32.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-05-29 20:20:31 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-05-30 00:20
    ComboFix2.txt 2012-05-28 14:03
    .
    Pre-Run: 382,268,194,816 bytes free
    Post-Run: 382,160,887,808 bytes free
    .
    - - End Of File - - 3A7A51E9E53C635D2C8CA191E4A031DC
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Edit: Run Bootkit Scan in my Reply #12 first.

    Let's go ahead and handle these:

    How to disable this service:

    Open a command prompt. (Run a command prompt as Administrator in Windows vista/7)
    Copy command line and Paste.


    Code:
    sc stop "avg9wd"
    sc config "avg9wd" start= disabled
    sc delete "avg9wd"
    

    Done.!
    Close the command prompt. [/CODE]
    ==============================================
    Please run OTM again, to make sure whatever Eset found has been handled. I've corrected the code:
    Please download OTMovit by Old Timerand save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Files
      C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\n
      C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul
      C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exe
      C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exe
      C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exe
      C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exe
      C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exe
      C:\Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    --------------------------------------
    Let's make sure malware isn't hiding in a process:

    Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
     
  11. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    Edit: Run Bootkit Scan in my Reply #12 first

    I will go ahead and try these items later today. However, I must warn you that last night I lost my phone and DSL service. I have contacted the phone company and they have stated that I am part of a "group outtage" that may not be fixed until Friday. However, I believe that I may be having some other issues with the DSL lines that may take more time to fix. You may be wondering why I am telling you this... I just wanted you to know this in case I am unable to perform any of these tasks for a few days until my Internet Connection has been restablished. However until that happens I will do what steps I can (without going out of order) and update you either thruogh work or my phone's internet. I just don't this thread to get closed on me if the phone company is slow to fix the issue.

    Thank you for your patience with this matter.

    I did have one other question. While I am going through the virus/malware removal process, I have been disabling and my internet connection (via Network Connections) when I am done following your steps and just reactivating it when I know you have more for me to do. Should I keep doing this to try and keep my PC quarantined and offline until we are sure that is has been cleaned or am I being too cautious about it?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for the update- writing note to myself to keep open.

    You do not need to disconnect from the internet in general. If you need to run in other than Normal Mode, I will advise you.
    =====================================
    DO FIRST:
    I missed an entry in GMER. Before you run the previous scans I left, please do the following first:

    Bootkit Remover:

    Download Bootkit Remover.zip and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the remover.exe file to run the program.
      (Vista/7 users,right click on remover.exe and click Run As Administrator.)
    3. You will see a black screen with data
    4. Right click on the screen and click Select All.
    5. Press CTRL+C
    6. Open a Notepad and press CTRL+V
    7. Paste the output in your next reply.
    =====================================
     
  13. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    Thanks for understanding about my internet situation, I really appreciate it and will keep you updated.

    So it looks like I will be following the scan in Reply #12 first (Bootkit Remover) and THEN go back and then follow the instructions in #10. Gotcha. Do you want me to post the log from the Bootkit Remover before proceeding to the instructions in #10? Or can I just follow #12 and then go right into #10?
     
  14. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    Well it looks like they fixed my phone and DSL sooner than I had thought! Ok I ran through the steps (doing the Bootkit Remover step first) and here are my results:

    Bootkit Log:

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    931 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...


    Command Prompt (I grabbed this stuff since I'm not sure if it worked):

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\Buddy Lee>sc stop "avg9wd"
    [SC] OpenService FAILED 1060:

    The specified service does not exist as an installed service.


    C:\Documents and Settings\Buddy Lee>sc config "avg9wd" start= disabled
    [SC] OpenService FAILED 1060:

    The specified service does not exist as an installed service.


    C:\Documents and Settings\Buddy Lee>sc delete "avg9wd"
    [SC] OpenService FAILED 1060:

    The specified service does not exist as an installed service.


    OTMovit Log:

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\n moved successfully.
    C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul moved successfully.
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exe moved successfully.
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exe moved successfully.
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exe moved successfully.
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exe moved successfully.
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exe moved successfully.
    C:\Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 562 bytes

    User: All Users

    User: Buddy Lee
    ->Temp folder emptied: 753061 bytes
    ->Temporary Internet Files folder emptied: 3194833 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 45156242 bytes
    ->Flash cache emptied: 1016 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 6818 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 23593 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 17181247 bytes

    Total Files Cleaned = 63.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 05302012_194856

    Files moved on Reboot...
    File C:\WINDOWS\temp\Perflib_Perfdata_74.dat not found!

    Registry entries deleted on Reboot...


    MBAM Log:
    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.05.30.07

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Buddy Lee :: APEVIA [limited]

    5/30/2012 7:58:14 PM
    mbam-log-2012-05-30 (19-58-14).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 598618
    Time elapsed: 2 hour(s), 14 minute(s), 30 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
    C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\n (Backdoor.Agent.Gen) -> Quarantined and deleted successfully.

    (end)
     
  15. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    The only odd thing that happened during the MBAM run was that my MSE kicked up a warning that it had detected a threat when just about when MBAM had it's detection. (Since my system was online, the MSE real time protection wasn't disabled.) If this will cause an issue I can re-run the MBAM after turning off MSE's real time protection.

    Also, I had a qquestion about Java. In an earlier step, you had me remove the older versions of it but I had come across JavaFX 2.1.0. Do I need to remove that as well?
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The JavaFX is for Linux Developer. You may have downloaded it by mistake. If you're asking me about it, then I don't think it was intentional. Check here, then remove: http://docs.oracle.com/javafx/2/release_notes_linux/jfxpub-release_notes_linux.htm

    Bootkit scan is okay. AVG Services must have been removed although they were still in Combofix.

    You are getting reinfected from a file- but I can't identify it:

    Previously found and removed:
    In the current Mbam log- again:
    This may be from a flashplayer object you got through the YouTube Toolbar. You can try doing a search for the file, showing hidden files and folders:

    Right click on Start> Explore> do the following from within Windows Explorer:

    Show Hidden Folders/Files
    Open My Computer.
    • Go to Tools > Folder Options.
    • Select the View tab.
    • Scroll down to Hidden files and folders.
    • Select Show hidden files and folders.
    • Uncheck (untick) Hide extensions of known file types.
    • Uncheck (untick) Hide protected operating system files (Recommended).
    • Click Yes when prompted.
    • Click OK.
    • Close My Computer.

    Open Search> Set the Search for your doc & settings> Appdata> look for>>

    Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}

    Do a right click> Delete if found. Then go an empty the Recycle Bin. Reset Hidden/System Files & Folders
     
  17. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    Ok. I found and deleted the Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505} folder (and them emptied the recycling bin).

    Oh, on a side note, I was updating the Java on another PC to the latest version and when it installed version 7 update 4, it also installed JavaFX 2.1.0. Just thought I'd let you know.
     
  18. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    Well a little while after doing the step above, I tried doing a random search on google (because I had to reset my modem). When I went to click on the first link in the search results, Chrome stopped me stating something like that the website contained malware (sorry that I did jot the address down) but I know that it wasn't the site listed on the result I clicked on because I am familiar with that site.
     
  19. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    Ok, so what's next?
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I went ahead with my own update to see what was happening. When I got JavaFX also, I went looking for why:

    Regarding Java: A learning experience for both of us:
    Full article: http://www.infoq.com/news/2011/12/javafx-java7
    ==============================================

    Please update and run a new scan with Eset so we can make sure the file is gone.
     
  21. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    Hello again.

    I had 2 quick questions about the Eset scan before I run it.

    1.) Should I be disabling the real-time protection of MSE while Eset is running?
    2.) Should I have the "Remove Threats" option checked or unchecked when scanning with Eset? (I know in previous set of directions you had me remove the check.)

    Thanks.
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    #1: Yes
    #2: No. I will remove any threats along with any associated files. Directions remain:
    You're welcome.
     
  23. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    Hello. Here is the Eset scan log.

    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372442.rbfa variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372443.rbfa variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372458.rbfprobably a variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP798\A0383308.msia variant of Win32/Toolbar.Widgi application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412141.exea variant of Win32/InstallCore.T application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412142.exea variant of Win32/InstallIQ application
    C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412143.exea variant of Win32/InstallIQ application
    C:\_OTM\MovedFiles\05282012_213059\C_Documents and Settings\All Users\Application Data\YouTube Downloader\ytd_installer.exeWin32/Toolbar.Widgi application
    C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xulJS/Redirector.NIQ trojan
    C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exea variant of Win32/InstallCore.D application
    C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exea variant of Win32/InstallCore.D application
    C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exea variant of Win32/InstallCore.D application
    C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exea variant of Win32/InstallCore.D application
    C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exea variant of Win32/InstallCore.D application
    C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exea variant of Win32/Toolbar.Widgi application
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, good job! Nothing new. System Volume is for restore points and they will be remove at the end of cleaning. OTMMoveFiles are those that were found previously and have now been handled!

    No current, active malware showing.

    How is the system doing now?
     
  25. Buddy Lee

    Buddy Lee TS Rookie Topic Starter Posts: 17

    Well the system is acting fine (and I am really glad you got rid of the stray AVG process). Other than the one redirect that I mentioned a few replies back my system has been acting fine except for the fact that MSE was alerting me to threats that it was finding. If I look at the MSE history, the last 2 items found (and quarantined) were on 5/30 (which were Sirefef.AM and Meredrop) but I have been pretty much not using my system during the cleaning process. So, overall the system is running fine. :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...