Solved My PC has a case of Sirefef

Status
Not open for further replies.
B

Buddy Lee

Posts: 17   +0
Hello.

Today my system was running normal with no abnormal symptoms when my Microsoft Security Essentials started barking at me about a threat it had detected. So I ran a full scan and it detected and quarantined sirefef (there were a couple od sirefefs listed as AG, AK and AB I believe). After the scan was done (3 hours later) I was about to run MBAM when MSE popped another message at me that it had quarantined a threat (sirefef again). At that time I updated and ran MBAM and it seems to have stopped but I would really appreciate it if someone could take a look.

Thanks in advance!

P.S. - I used to have AVG installed on the system before switching to MSE but had problems with the uninstall.

I did go through the standard initial steps and the logs are as follows:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.28.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Buddy Lee :: APEVIA [limited]

5/28/2012 1:41:32 AM
mbam-log-2012-05-28 (01-41-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 242648
Time elapsed: 12 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|rfdvpn (Trojan.Agent.LTGen) -> Data: rundll32.exe "C:\DOCUME~1\BUDDYL~1\LOCALS~1\Temp\rfdvpn.dll",SteamUser -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|danonc (Trojan.Agent.LTGen) -> Data: rundll32.exe "C:\DOCUME~1\BUDDYL~1\LOCALS~1\Temp\danonc.dll",ConvertMeshSubsetToStrips -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCR\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Bad: (C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\WINDOWS\assembly\GAC\Desktop.ini (Trojan.0access) -> Delete on reboot.
C:\Documents and Settings\Buddy Lee\Local Settings\Temp\rfdvpn.dll (Trojan.Agent.LTGen) -> Delete on reboot.
C:\Documents and Settings\Buddy Lee\Local Settings\Temp\danonc.dll (Trojan.Agent.LTGen) -> Delete on reboot.

(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-05-28 02:08:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 rev.
Running: tqj56rvl.exe; Driver: C:\DOCUME~1\BUDDYL~1\LOCALS~1\Temp\pwtdrpod.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- EOF - GMER 1.0.15 ----
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Buddy Lee at 2:20:31 on 2012-05-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2614 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GIGABYTE\ET6\GUI.exe
C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\Akamai\netsession_win.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\Akamai\netsession_win.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = 127.0.0.1;127.0.0.1:9421;*.local;<local>
uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Google Update] "c:\documents and settings\buddy lee\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Akamai NetSession Interface] "c:\documents and settings\buddy lee\local settings\application data\akamai\netsession_win.exe"
uRun: [Sonic RecordNow! Deluxe]
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [<NO NAME>]
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260049794531
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\buddy lee\application data\mozilla\firefox\profiles\xmqrti8r.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\buddy lee\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\buddy lee\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-6 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-6 243024]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-4-30 218688]
R1 MpKsl0127d349;MpKsl0127d349;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d908845-8389-41ec-a3e9-3315fcd05ce1}\MpKsl0127d349.sys [2012-5-28 29904]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2001-8-23 14336]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2012-5-25 785344]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-12-5 68136]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-5-18 2348352]
R3 AODDriver;AODDriver;c:\program files\gigabyte\et6\i386\AODDriver.sys [2009-2-23 7168]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2009-12-6 24944]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-7-14 19720]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-6 216400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-5 1691480]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2009-12-6 17488]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S4 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
S4 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
.
=============== Created Last 30 ================
.
2012-05-28 06:13:2829904----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d908845-8389-41ec-a3e9-3315fcd05ce1}\MpKsl0127d349.sys
2012-05-28 06:10:096737808----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d908845-8389-41ec-a3e9-3315fcd05ce1}\mpengine.dll
2012-05-27 14:44:38--------d-----w-c:\documents and settings\buddy lee\local settings\application data\{61292E35-A7F7-11E1-8270-B8AC6F996F26}
2012-05-27 12:27:55--------d-----w-c:\documents and settings\buddy lee\local settings\application data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}
2012-05-26 01:22:286737808----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-26 01:12:35--------d-----w-c:\documents and settings\buddy lee\application data\Search Settings
2012-05-26 01:12:30--------d-----w-c:\program files\Application Updater
2012-05-26 01:12:29--------d-----w-c:\program files\YouTube Downloader Toolbar
2012-05-26 01:12:29--------d-----w-c:\program files\common files\Spigot
2012-05-18 20:55:57881984----a-w-c:\windows\system32\nvgenco32.dll
2012-05-18 20:55:571000256----a-w-c:\windows\system32\nvdispco32.dll
2012-05-18 16:06:09--------d-----w-c:\documents and settings\buddy lee\application data\DDMSettings
2012-05-18 16:04:539200------w-c:\windows\system32\drivers\cdralw2k.sys
2012-05-18 16:04:539072------w-c:\windows\system32\drivers\cdr4_xp.sys
2012-05-18 16:04:53133616------w-c:\windows\system32\pxafs.dll
2012-05-18 16:04:53126448------w-c:\windows\system32\pxinsi64.exe
2012-05-18 16:04:53123888------w-c:\windows\system32\pxcpyi64.exe
2012-05-18 16:04:24--------d-----w-c:\program files\common files\DivX Shared
2012-05-18 15:29:26--------d-----w-c:\program files\DivX
2012-05-18 15:27:46--------d-----w-c:\documents and settings\all users\application data\DivX
2012-05-16 03:48:37--------d-----w-c:\program files\Diablo III
2012-05-16 03:45:04--------d-----w-c:\documents and settings\all users\application data\Battle.net
2012-05-11 02:26:05102248----a-w-c:\documents and settings\buddy lee\GoToAssistDownloadHelper.exe
2012-05-11 02:17:40--------d-----w-c:\documents and settings\buddy lee\local settings\application data\Citrix
2012-05-04 20:39:57419488----a-w-c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-05-28 05:58:3024944----a-w-c:\windows\system32\drivers\GVTDrv.sys
2012-05-28 05:58:0117488----a-w-c:\windows\gdrv.sys
2012-05-18 20:56:33293992----a-w-c:\windows\system32\nvdrsdb0.bin
2012-05-18 20:56:331----a-w-c:\windows\system32\nvdrssel.bin
2012-05-18 20:56:31293992----a-w-c:\windows\system32\nvdrsdb1.bin
2012-05-04 20:39:5770304----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14:412148352----a-w-c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:061862272----a-w-c:\windows\system32\win32k.sys
2012-04-11 12:35:512026496----a-w-c:\windows\system32\ntkrnlpa.exe
2012-04-04 19:56:4022344----a-w-c:\windows\system32\drivers\mbam.sys
2012-03-21 00:44:12171064----a-w-c:\windows\system32\drivers\MpFilter.sys
2012-03-03 04:53:2317488----a-w-c:\windows\etdrv.sys
2012-03-01 11:01:32916992----a-w-c:\windows\system32\wininet.dll
2012-03-01 11:01:3243520----a-w-c:\windows\system32\licmgr10.dll
2012-03-01 11:01:321469440------w-c:\windows\system32\inetcpl.cpl
2012-02-29 23:58:0065536----a-w-c:\windows\system32\OpenCL.dll
2012-02-29 23:58:005918720----a-w-c:\windows\system32\nvcuda.dll
2012-02-29 23:58:004309760----a-w-c:\windows\system32\nv4_disp.dll
2012-02-29 23:58:002522944----a-w-c:\windows\system32\nvcuvid.dll
2012-02-29 23:58:002437440----a-w-c:\windows\system32\nvcuvenc.dll
2012-02-29 23:58:002291712----a-w-c:\windows\system32\nvapi.dll
2012-02-29 23:58:0018624512----a-w-c:\windows\system32\nvoglnt.dll
2012-02-29 23:58:0017534976----a-w-c:\windows\system32\nvcompiler.dll
2012-02-29 23:58:0013417632----a-w-c:\windows\system32\drivers\nv4_mini.sys
2012-02-29 20:30:3154272----a-w-c:\windows\system32\nvwddi.dll
2012-02-29 20:30:2415494464----a-w-c:\windows\system32\nvcpl.dll
2012-02-29 20:30:24143680----a-w-c:\windows\system32\nvcolor.exe
2012-02-29 20:30:23164160----a-w-c:\windows\system32\nvsvc32.exe
2012-02-29 20:30:23108352----a-w-c:\windows\system32\nvmctray.dll
2012-02-29 14:10:16177664----a-w-c:\windows\system32\wintrust.dll
2012-02-29 14:10:16148480----a-w-c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40385024----a-w-c:\windows\system32\html.iec
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Harddisk0\DR0[0x8B037030]
3 CLASSPNP[0xB8118FD7] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\0000006e[0x8B026490]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Ide\IdeDeviceP0T0L0-3[0x8B039940]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 2:20:37.93 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/4/2009 11:32:03 PM
System Uptime: 5/28/2012 1:57:24 AM (1 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | EP45-UD3R
Processor: Intel Pentium III Xeon processor | Socket 775 | 2999/333mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 932 GiB total, 354.491 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_02\4&33BA0C0F&0&00E4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_02\4&33BA0C0F&0&00E4
Service: RTLE8023xp
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\241D7B0DB0
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\241D7B0DB0
Service: NIC1394
.
==== System Restore Points ===================
.
RP746: 2/28/2012 6:14:02 PM - System Checkpoint
RP747: 2/29/2012 6:16:06 PM - Software Distribution Service 3.0
RP748: 3/1/2012 6:39:09 PM - Software Distribution Service 3.0
RP749: 3/2/2012 10:34:03 PM - Software Distribution Service 3.0
RP750: 3/3/2012 11:29:47 PM - System Checkpoint
RP751: 3/4/2012 1:59:30 AM - Software Distribution Service 3.0
RP752: 3/5/2012 1:57:32 PM - Software Distribution Service 3.0
RP753: 3/6/2012 2:16:15 PM - Software Distribution Service 3.0
RP754: 3/7/2012 2:17:36 PM - System Checkpoint
RP755: 3/8/2012 7:04:21 PM - Software Distribution Service 3.0
RP756: 3/9/2012 7:07:54 PM - System Checkpoint
RP757: 3/9/2012 10:38:05 PM - Software Distribution Service 3.0
RP758: 3/10/2012 8:38:05 AM - Installed DirectX
RP759: 3/11/2012 11:30:06 AM - Software Distribution Service 3.0
RP760: 3/12/2012 8:08:30 PM - Software Distribution Service 3.0
RP761: 3/14/2012 8:13:00 PM - Software Distribution Service 3.0
RP762: 3/14/2012 11:15:33 PM - Software Distribution Service 3.0
RP763: 3/16/2012 3:04:08 PM - Software Distribution Service 3.0
RP764: 3/16/2012 3:17:39 PM - Software Distribution Service 3.0
RP765: 3/17/2012 3:52:59 PM - System Checkpoint
RP766: 3/18/2012 9:50:06 AM - Software Distribution Service 3.0
RP767: 3/19/2012 6:13:19 PM - Software Distribution Service 3.0
RP768: 3/20/2012 7:19:29 PM - Software Distribution Service 3.0
RP769: 3/21/2012 9:26:33 PM - Software Distribution Service 3.0
RP770: 3/23/2012 11:19:09 AM - Software Distribution Service 3.0
RP771: 3/24/2012 2:55:57 PM - Software Distribution Service 3.0
RP772: 3/25/2012 4:21:13 PM - System Checkpoint
RP773: 3/25/2012 4:59:17 PM - Software Distribution Service 3.0
RP774: 3/26/2012 8:51:56 PM - Software Distribution Service 3.0
RP775: 3/28/2012 9:27:43 AM - Software Distribution Service 3.0
RP776: 3/29/2012 9:39:44 PM - Software Distribution Service 3.0
RP777: 3/30/2012 11:08:36 PM - System Checkpoint
RP778: 3/31/2012 9:41:22 AM - Software Distribution Service 3.0
RP779: 4/1/2012 9:45:09 AM - System Checkpoint
RP780: 4/2/2012 8:11:52 PM - Software Distribution Service 3.0
RP781: 4/4/2012 8:28:52 PM - Software Distribution Service 3.0
RP782: 4/6/2012 5:55:54 PM - Software Distribution Service 3.0
RP783: 4/7/2012 6:53:28 PM - Software Distribution Service 3.0
RP784: 4/9/2012 8:33:36 PM - Software Distribution Service 3.0
RP785: 4/11/2012 12:46:39 PM - Software Distribution Service 3.0
RP786: 4/12/2012 12:48:37 PM - System Checkpoint
RP787: 4/13/2012 10:54:10 AM - Software Distribution Service 3.0
RP788: 4/13/2012 11:24:51 AM - Software Distribution Service 3.0
RP789: 4/15/2012 10:44:30 AM - Software Distribution Service 3.0
RP790: 4/16/2012 8:36:22 PM - Software Distribution Service 3.0
RP791: 4/17/2012 9:08:07 PM - Software Distribution Service 3.0
RP792: 4/19/2012 8:27:09 PM - Software Distribution Service 3.0
RP793: 4/21/2012 5:43:35 PM - Software Distribution Service 3.0
RP794: 4/22/2012 6:14:05 PM - System Checkpoint
RP795: 4/26/2012 9:24:42 PM - Software Distribution Service 3.0
RP796: 4/28/2012 3:58:03 PM - Software Distribution Service 3.0
RP797: 5/2/2012 8:57:16 PM - Software Distribution Service 3.0
RP798: 5/4/2012 2:18:23 PM - Software Distribution Service 3.0
RP799: 5/5/2012 7:05:59 PM - Software Distribution Service 3.0
RP800: 5/6/2012 8:01:45 PM - System Checkpoint
RP801: 5/10/2012 9:46:52 PM - Software Distribution Service 3.0
RP802: 5/13/2012 7:14:55 PM - System Checkpoint
RP803: 5/14/2012 12:04:38 PM - Software Distribution Service 3.0
RP804: 5/14/2012 6:24:07 PM - Software Distribution Service 3.0
RP805: 5/15/2012 6:35:17 PM - Software Distribution Service 3.0
RP806: 5/15/2012 6:58:24 PM - Software Distribution Service 3.0
RP807: 5/16/2012 8:10:55 PM - Software Distribution Service 3.0
RP808: 5/17/2012 8:40:46 PM - Software Distribution Service 3.0
RP809: 5/18/2012 9:03:37 PM - System Checkpoint
RP810: 5/19/2012 10:20:00 AM - Software Distribution Service 3.0
RP811: 5/20/2012 10:20:57 PM - Software Distribution Service 3.0
RP812: 5/21/2012 9:14:50 PM - Software Distribution Service 3.0
RP813: 5/21/2012 11:06:12 PM - Software Distribution Service 3.0
RP814: 5/22/2012 5:39:47 PM - Software Distribution Service 3.0
RP815: 5/23/2012 2:18:15 AM - Software Distribution Service 3.0
RP816: 5/23/2012 5:36:40 PM - Software Distribution Service 3.0
RP817: 5/24/2012 6:07:33 PM - Software Distribution Service 3.0
RP818: 5/25/2012 9:22:25 PM - Software Distribution Service 3.0
RP819: 5/26/2012 9:27:44 PM - System Checkpoint
RP820: 5/27/2012 8:12:48 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Acala DVD Ripper Professional 6.1.8
Acrobat.com
Activision(R)
Adobe AIR
Adobe Community Help
Adobe Creative Suite 5 Master Collection
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Media Player
Adobe Reader 9.4.4
Akamai NetSession Interface
Akamai NetSession Interface Service
Any Video Converter 3.3.4
AoA DVD Ripper
APB Reloaded
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AVG Free 9.0
Battlefield Heroes
Blur(TM)
Bonjour
Borderlands
Browser Configuration Utility
calibre
Citrix Presentation Server Client
Counter-Strike: Source
Curse Client
DAEMON Tools Lite
Dawn of War - Dark Crusade
DC Universe Online Live
Defcon Demo
Diablo III
DivX Setup
DMIView B8.0717.01
doPDF 7.0 printer
Dual-Core Optimizer
Duke Nukem Forever Demo
DVD Shrink 3.2
Easy Tune 6 B09.0326.1
EdenEternal
Energy Saver Advance B9.0316.1
EVGA Precision 1.8.0
Fantasy Earth Zero
Far Cry 2
FlatOut Ultimate Carnage
Fraps (remove only)
Free Audio CD Burner version 1.2
Free YouTube to MP3 Converter version 3.3
Get the Picture!
Gigabyte Raid Configurer
Google Chrome
Google SketchUp 8
Handbrake 0.9.4
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp instant support
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1100 series
hp psc 1100 series
IGG Web3D Player version 1.0.0.37
iTunes
Java Auto Updater
Java(TM) 6 Update 29
League of Legends
Logitech GamePanel Software 3.03.133
Magic: The Gathering — Duels of the Planeswalkers 2012 - Demo
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Mini Ninjas 1.0
Mozilla Firefox 5.0.1 (x86 en-US)
Nero Suite
NVIDIA Control Panel 296.10
NVIDIA Graphics Driver 296.10
NVIDIA Install Application
NVIDIA nView 136.18
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.0213
NVIDIA Update 1.7.11
NVIDIA Update Components
OpenAL
Orcs Must Die! Demo
Pando Media Booster
PDF Settings CS5
Pepakura Viewer 3
Plants vs. Zombies(TM)
Portal
Portal 2
PowerDVD
PunkBuster Services
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RIFT
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic Audio Module
Sonic CinePlayer
Sonic Copy Module
Sonic Data Module
Sonic MyDVD Studio Deluxe
Sonic RecordNow! Deluxe
Sonic Update Manager
SpeechRedist
Spelling Dictionaries Support For Adobe Reader 9
SPORE™
Star Wars: The Old Republic
StarCraft
Steam
STOIK Video Converter 3
System Requirements Lab
System Requirements Lab CYRI
Tablet
Team Fortress 2
Tornado Jockey
Uninstall 1.0.0.1
Unity Web Player
Unreal Tournament 2004
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.6195
Ventrilo Client
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows XP Service Pack 3
World of Logs Client
World of Warcraft
Wow Web Stats Client v3.0
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.2 final uninstall
YouTube Downloader 3.5
YouTube Downloader Toolbar v5.8
.
==== Event Viewer Messages From Past Week ========
.
5/26/2012 4:22:15 PM, error: nv [108] - The driver nv4_disp for the display device \Device\Video0 got stuck in an infinite loop. This usually indicates a problem with the device itself or with the device driver programming the hardware incorrectly. Please check with your hardware device vendor for any driver updates.
5/25/2012 10:02:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86
5/24/2012 5:56:51 PM, error: Dhcp [1002] - The IP address lease 192.168.1.42 for the Network Card with network address 00241DC033FA has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
5/23/2012 8:46:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/23/2012 8:39:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Cinemsup Fips intelppm MpFilter
5/23/2012 8:12:03 PM, error: Dhcp [1002] - The IP address lease 10.0.0.3 for the Network Card with network address 00241DC033FA has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
5/21/2012 7:06:28 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 10.0.0.3 with the system having network hardware address 4C:B1:99:2C:92:87. Network operations on this system may be disrupted as a result.
5/21/2012 6:36:13 PM, error: System Error [1003] - Error code 000000ea, parameter1 89e19da0, parameter2 8afbff60, parameter3 8ab75150, parameter4 00000001.
5/21/2012 6:33:56 PM, error: Dhcp [1002] - The IP address lease 10.0.0.2 for the Network Card with network address 00241DC033FA has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
5/21/2012 6:06:48 PM, error: JRAID [9] - The device, \Device\Scsi\JRAID1, did not respond within the timeout period.
5/21/2012 6:05:39 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
.
==== End Of File ===========================
 
Good morning and welcome to TechSpot! I'll help with the malware.

It appears that AVG is still installed. I'd like you to run Combofix- but it won't run with AVG. Since to mean to remove it anyway, this should help:

Download AppRemover and save to the desktop
  1. Double click the setup on the desktop> click Next
  2. Select “Remove Security Application”
  3. Let scan finish to determine security apps
  4. A screen like below will appear:
    image_preview
  5. Click on Next after choice has been made
  6. Check the AVG program you want to uninstall
  7. After uninstall shows complete, follow online prompts to Exit the program.
=============================
After the uninstall has completed,

Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------

  • Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
    • Double click combofix.exe
      cf-icon.jpg
      & follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
      Click to expand...
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • Close any open browsers.
  • Before you run the Combofix scan, please disable any security software you have running.
    (If you need help with this, please see HERE)
  • Click on Yes, to continue scanning for malware
  • If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
==============================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
===============================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
Threads are closed after 5 days if there is no reply.
 
Hi Bobbye.

Thanks for your help. As requested, I have removed the remnants of AVG (or at least it looks that way), ran ComboFix and EsetOnlineScan. Just to let you know after my initial post (but before you replied) I did run my MSE again and it detected and removed sirefef.AB. (I just wanted you to know of any actions I have taken so far.)

Also, I'm not sure if it is related but seems that when I go to google.com, Chrome alerts me that the page has insecure content and if I choose to load anyways I a small red X shows up on the padlock and a red line crosses through the "https:" in the address bar. Again, not sure if it is related or will be fixed in the course of your assistance but I wanted to let you know.

Here are the logs from today's requested scans:

From ComboFix:

ComboFix 12-05-28.01 - Buddy Lee 05/28/2012 9:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2620 [GMT -4:00]
Running from: c:\documents and settings\Buddy Lee\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Buddy Lee\GoToAssistDownloadHelper.exe
c:\documents and settings\Buddy Lee\Local Settings\Application Data\._Revolution_
C:\install.exe
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\dllcache\wmpvis.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-28 )))))))))))))))))))))))))))))))
.
.
2012-05-28 13:56 . 2012-05-08 16:406737808------w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{06B27F91-B126-4A0D-ACCE-110EA6A154B0}\mpengine.dll
2012-05-28 06:20 . 2012-05-08 16:406737808------w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-27 14:44 . 2012-05-27 14:44--------d-----w-c:\documents and settings\Buddy Lee\Local Settings\Application Data\{61292E35-A7F7-11E1-8270-B8AC6F996F26}
2012-05-27 12:27 . 2012-05-27 12:27--------d-----w-c:\documents and settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}
2012-05-26 01:12 . 2012-05-26 01:12--------d-----w-c:\documents and settings\Buddy Lee\Application Data\Search Settings
2012-05-26 01:12 . 2012-05-26 01:12--------d-----w-c:\program files\Application Updater
2012-05-26 01:12 . 2012-05-26 01:12--------d-----w-c:\program files\YouTube Downloader Toolbar
2012-05-26 01:12 . 2012-05-26 01:12--------d-----w-c:\program files\Common Files\Spigot
2012-05-18 20:57 . 2012-05-18 20:57--------d-----w-c:\documents and settings\UpdatusUser
2012-05-18 20:55 . 2012-02-29 23:58881984----a-w-c:\windows\system32\nvgenco32.dll
2012-05-18 20:55 . 2012-02-29 23:581000256----a-w-c:\windows\system32\nvdispco32.dll
2012-05-18 16:06 . 2012-05-18 16:06--------d-----w-c:\documents and settings\Buddy Lee\Application Data\DDMSettings
2012-05-16 03:48 . 2012-05-16 10:20--------d-----w-c:\program files\Diablo III
2012-05-16 03:45 . 2012-05-16 03:45--------d-----w-c:\documents and settings\All Users\Application Data\Battle.net
2012-05-11 03:48 . 2012-05-11 03:49--------d-----w-c:\documents and settings\Administrator
2012-05-11 02:17 . 2012-05-11 02:17--------d-----w-c:\documents and settings\Buddy Lee\Local Settings\Application Data\Citrix
2012-05-04 20:39 . 2012-05-04 20:39419488----a-w-c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-28 13:45 . 2009-12-06 22:0624944----a-w-c:\windows\system32\drivers\GVTDrv.sys
2012-05-28 13:44 . 2009-12-06 22:0617488----a-w-c:\windows\gdrv.sys
2012-05-04 20:39 . 2011-06-07 13:1570304----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14 . 2002-08-28 23:042148352----a-w-c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2002-08-29 00:141862272----a-w-c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2002-08-29 01:042026496----a-w-c:\windows\system32\ntkrnlpa.exe
2012-04-04 19:56 . 2011-03-24 00:3522344----a-w-c:\windows\system32\drivers\mbam.sys
2012-03-21 00:44 . 2010-10-25 01:25171064----a-w-c:\windows\system32\drivers\MpFilter.sys
2012-03-03 04:53 . 2009-12-06 22:0617488----a-w-c:\windows\etdrv.sys
2012-03-01 11:01 . 2002-08-29 01:411469440------w-c:\windows\system32\inetcpl.cpl
2012-03-01 11:01 . 2002-08-29 01:41916992----a-w-c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2002-08-29 01:4143520----a-w-c:\windows\system32\licmgr10.dll
2012-02-29 23:58 . 2010-01-30 19:4465536----a-w-c:\windows\system32\OpenCL.dll
2012-02-29 23:58 . 2010-01-30 19:4417534976----a-w-c:\windows\system32\nvcompiler.dll
2012-02-29 23:58 . 2009-08-16 16:575918720----a-w-c:\windows\system32\nvcuda.dll
2012-02-29 23:58 . 2009-08-16 16:572522944----a-w-c:\windows\system32\nvcuvid.dll
2012-02-29 23:58 . 2009-08-16 16:572437440----a-w-c:\windows\system32\nvcuvenc.dll
2012-02-29 23:58 . 2009-08-16 16:572291712----a-w-c:\windows\system32\nvapi.dll
2012-02-29 23:58 . 2009-08-16 16:5718624512----a-w-c:\windows\system32\nvoglnt.dll
2012-02-29 23:58 . 2004-08-04 07:564309760----a-w-c:\windows\system32\nv4_disp.dll
2012-02-29 23:58 . 2004-08-04 05:2913417632----a-w-c:\windows\system32\drivers\nv4_mini.sys
2012-02-29 20:30 . 2011-01-07 23:5654272----a-w-c:\windows\system32\nvwddi.dll
2012-02-29 20:30 . 2011-01-07 23:5615494464----a-w-c:\windows\system32\nvcpl.dll
2012-02-29 20:30 . 2011-01-07 23:56143680----a-w-c:\windows\system32\nvcolor.exe
2012-02-29 20:30 . 2011-01-07 23:56164160----a-w-c:\windows\system32\nvsvc32.exe
2012-02-29 20:30 . 2011-01-07 23:56108352----a-w-c:\windows\system32\nvmctray.dll
2012-02-29 14:10 . 2002-08-29 01:40148480----a-w-c:\windows\system32\imagehlp.dll
2012-02-29 14:10 . 2001-08-23 12:00177664----a-w-c:\windows\system32\wintrust.dll
2012-02-29 12:17 . 2004-08-04 05:59385024----a-w-c:\windows\system32\html.iec
2011-07-08 07:16 . 2011-07-24 05:42142296----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\documents and settings\Buddy Lee\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-05-08 3331872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-08-13 357384]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-08-13 1573384]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-08-13 3161608]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-30 19523616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-29 15494464]
"NvMediaCenter"="NvMCTray.dll" [2012-02-29 108352]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-02-29 1634112]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2012-05-25 992648]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 22:3636864------r-c:\windows\RaidTool\xInsIDE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg9wd"=2 (0x2)
"avg9emc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\defcon\\defcon.exe"=
"c:\\Program Files\\Games\\Counter-Strike Source\\hl2.exe"=
"c:\\Program Files\\Games\\Flatout2-DVD\\FlatOut2.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\Buddy Lee\\Desktop\\WoW Test\\World of Warcraft\\Repair.exe"=
"c:\\Documents and Settings\\Buddy Lee\\Desktop\\WoW Test\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Buddy Lee\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Documents and Settings\\Buddy Lee\\Desktop\\WoW Test\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Activision\\Blur(TM)\\Blur.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Portal 2\\portal2.exe"=
"c:\\AeriaGames\\EdenEternal\\_Launcher.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\duke nukem forever demo\\System\\DukeForeverDemo.exe"=
"c:\\Documents and Settings\\Buddy Lee\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\launcher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\orcs must die!\\build\\release\\OrcsMustDie.exe"=
"c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\betatest\\retailclient\\swtor.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\magic 2012 demo\\Magic_2012.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Buddy Lee\\Local Settings\\Apps\\2.0\\V5MX5KZZ.1XK\\ZEL7LV1A.0XR\\curs..tion_eee711038731a406_0004.0000_2bd39706d04e72c8\\CurseClient.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.524\\Agent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.954\\Agent.exe"=
"c:\\Program Files\\Diablo III\\Diablo III.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.976\\Agent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"57608:TCP"= 57608:TCP:*:Disabled:pando Media Booster
"57608:UDP"= 57608:UDP:*:Disabled:pando Media Booster
"58162:TCP"= 58162:TCP:*:Disabled:pando Media Booster
"58162:UDP"= 58162:UDP:*:Disabled:pando Media Booster
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6885:TCP"= 6885:TCP:League of Legends Launcher
"6885:UDP"= 6885:UDP:League of Legends Launcher
"1050:TCP"= 1050:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [4/30/2011 10:27 AM 218688]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/23/2001 8:00 AM 14336]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [5/25/2012 3:12 PM 785344]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [12/5/2009 5:20 PM 68136]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [5/18/2012 4:57 PM 2348352]
R3 AODDriver;AODDriver;c:\program files\GIGABYTE\ET6\i386\AODDriver.sys [2/23/2009 1:16 AM 7168]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [7/14/2009 4:35 PM 19720]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/5/2009 5:23 PM 1691480]
S3 etdrv;etdrv;c:\windows\etdrv.sys [12/6/2009 6:06 PM 17488]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
SUnknown GVTDrv;GVTDrv; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
AkamaiREG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-28 c:\windows\Tasks\AdobeAAMUpdater-1.0-APEVIA-Buddy Lee.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-27 08:44]
.
2012-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2010-03-27 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1100 series272A572217594EBCF1CEE215E352B92AD073FDE4260471350.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
2012-05-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1364589140-839522115-1003Core.job
- c:\documents and settings\Buddy Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-06 08:09]
.
2012-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1364589140-839522115-1003UA.job
- c:\documents and settings\Buddy Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-06 08:09]
.
2012-05-28 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;127.0.0.1:9421;*.local;<local>
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 10.0.0.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Buddy Lee\Application Data\Mozilla\Firefox\Profiles\xmqrti8r.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-Sonic RecordNow! Deluxe - (no file)
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
AddRemove-FlatOut Ultimate Carnage - d:\games\FlatOut Ultimate Carnage\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-28 10:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_6c825ce.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-746137067-1364589140-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:fc,95,3b,54,93,42,d1,d6,a6,d4,2b,fe,61,86,4f,74,e3,2a,b8,29,bb,
e0,cc,45,2f,84,2b,f4,d0,b6,fd,1d,77,61,77,7c,f6,08,6e,be,f3,0c,04,3e,d6,c5,\
"rkeysecu"=hex:f6,73,5d,ec,09,43,10,ab,85,ec,04,41,ad,f0,c5,d7
.
Completion time: 2012-05-28 10:03:53
ComboFix-quarantined-files.txt 2012-05-28 14:03
.
Pre-Run: 381,798,092,800 bytes free
Post-Run: 382,124,736,512 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer
.
- - End Of File - - 7ACA86425B289558FD1F069F47DE1AA1
From the EsetOnlineScan:
C:\Documents and Settings\All Users\Application Data\YouTube Downloader\ytd_installer.exeWin32/Toolbar.Widgi application
C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\nWin32/Sirefef.EV trojan
C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xulJS/Redirector.NIQ trojan
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exea variant of Win32/InstallCore.D application
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exea variant of Win32/InstallCore.D application
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exea variant of Win32/InstallCore.D application
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exea variant of Win32/InstallCore.D application
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exea variant of Win32/InstallCore.D application
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exea variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372442.rbfa variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372443.rbfa variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372458.rbfprobably a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP798\A0383308.msia variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412141.exea variant of Win32/InstallCore.T application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412142.exea variant of Win32/InstallIQ application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412143.exea variant of Win32/InstallIQ application
 
Here are instructions to remove SearchSettings:
  1. Click on Start> Control Panel> Add/Remove Programs" or "Uninstall a Program."
  2. Look for Search Settings in the list that follows. If it appears (it usually doesn't), select and delete it.
  3. Click on Start> All Programs> Accessories> System Tools> Windows Explorers.
  4. Once in Windows Explorer> click on Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'Hide system files Recommended> Click on Apply and click yes to Confirm.
  5. Again click on the Tools> Manage Add-ons> Find Search Settings among the list and select Disable (or Remove if possible). Note: Look in both 'addons currently on system' and addons previously on system'
  6. Open Firefox if you have it installed> Tools> Add-ons> Look for Search for Search Settings. If it's there, click the Uninstall button.
  7. Download the free Windows Installer CleanUp Utility . Install, then open the utility. Look for Search Settings among the programs listed, select it, and then press the "Remove" button.
===================================================
Please download OTMovit by Old Timerand save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files
C:\Documents and Settings\All Users\Application Data\YouTube Downloader\ytd_installer.exe
C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\nWin32/Sirefef.EV trojan
C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exe
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exe
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exe
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exe
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exe
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exe
    
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
--------------------------------------
Note 1: When you have a download screen in front of you, carefully look for any pre-checked boxes. If there are any, click to uncheck the box.
Note 2: When you install a program, if given a choice, choose Custom Install instead of Standard.
================================================
When we have finished cleaning, I will have you set a new, clean restore point, then remove all of the old restore points.
=================================================

Remove Zero.Access (Sirefef)
ESET has provided a stand-alone malware removal tool to remove this particularly resilient threat. Follow the steps below.
  1. . Download, save and run the Win32/Sirefef' stand-alone malware removal tool and follow the prompts as directed.
  2. If this tool is unsuccessful in cleaning, try restarting into Safe Mode with Networking and running it again.
  3. When finished, update and rescan with the Eset online scanner.
Leave any new log that is generated.
 
Hello.

I ran into hiccups with the following:

Search settings: I was unable to find any instances of search settings with the Add/Remove Programs, Manage Add-Ons in Internet Explorer or Firefox and it was also not listed in Chrome anywhere. Also it was not listed in the Windows Installer Cleanup Utility.

OTMovit: When I ran the program I got an error message stating "Invalid time flag! [ Sirefef.EV trajan ] Must be numerical." At this point I clicked ok and then Move It again. I did get a log which I post below. (I hope that I ran this one right.)

Remove Zero.Access (Sirefef): I ran this both in normal mode and in safe mode with networking and got error message stating "Win32/Sirefef has NOT been found on your system".

I am currently running the Eset online scanner but seeing that the scan will take quite some time (I think it took 3 hours last time) I wanted to at least update you with this information. Once that scan is done I will post any logs in my next reply.

Here is the OTMovit log:

All processes killed
Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\nWin32/Sirefef.EV trojan> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exe> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exe> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exe> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exe> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exe> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exe> in the current context!
Error: Unable to interpret < > in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 57037 bytes

User: All Users

User: Buddy Lee
->Temp folder emptied: 2425009 bytes
->Temporary Internet Files folder emptied: 9911811 bytes
->Java cache emptied: 8478 bytes
->FireFox cache emptied: 26227486 bytes
->Google Chrome cache emptied: 366142719 bytes
->Flash cache emptied: 62665 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56475 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 6848 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56475 bytes

%systemdrive% .tmp files removed: 3138 bytes
%systemroot% .tmp files removed: 1138887 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21735 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33728 bytes
RecycleBin emptied: 11010944 bytes

Total Files Cleaned = 398.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 05282012_213124

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_504.dat not found!

Registry entries deleted on Reboot...
 
Here is the Eset Online log:

C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\nWin32/Sirefef.EV trojan
C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xulJS/Redirector.NIQ trojan
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exea variant of Win32/InstallCore.D application
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exea variant of Win32/InstallCore.D application
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exea variant of Win32/InstallCore.D application
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exea variant of Win32/InstallCore.D application
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exea variant of Win32/InstallCore.D application
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exea variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372442.rbfa variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372443.rbfa variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372458.rbfprobably a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP798\A0383308.msia variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412141.exea variant of Win32/InstallCore.T application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412142.exea variant of Win32/InstallIQ application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412143.exea variant of Win32/InstallIQ application
C:\_OTM\MovedFiles\05282012_213059\C_Documents and Settings\All Users\Application Data\YouTube Downloader\ytd_installer.exeWin32/Toolbar.Widgi application
 
I do have one question regarding the OTMovit instructions of "Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):". I am assuming that you are referring to all of the lines in the code box below it (from :Files to [Reboot]), correct?

Thanks again for all of your help, especially on the holiday. :)
 
Sorry- that OTM problem was my mistake. I left the malware name in.

But I have a question about the CNet downloads. Are you currently running those downloads? If you are, I will need to put them in Processes instead of Files.

Any time you are instructed to copy the contents of the code box, you copy everything that is in the code box.

Regarding the secure/not secure/red x/ image place holder:
There are specific setting in browsers where you check specific entries according to how you want the browser to behave. For instance, in Internet Options for IE, Advanced tab> Security section> there is a line you can check 'warn me if changing between secure and insecure mode.' If that is checked, you would get a message like you qre describing from Chrome. If you decide to go ahead, that's your option- the browser did it's job.
=====================================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
Folder::
c:\documents and settings\Buddy Lee\Application Data\Search Settings
c:\program files\Application Updater
c:\program files\YouTube Downloader Toolbar
c:\program files\Common Files\Spigot
c:\documents and settings\UpdatusUser
DDS::
uInternet Settings,ProxyOverride = 127.0.0.1;127.0.0.1:9421;*.local;<local>
uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchSettings"=-
 
Clearjavacache::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
You need to be careful about pre-checked items on download screens. You also should choose Custom install for downloaded programs rather than Standard install. Example:
YouTube Downloader Toolbar:>> Vendio YouTube Downloader Toolbar, bundled with certain YouTube Downloaders, installed in tandem with their Search Settings foistware

I have used script to remove as much as I see for the toolbar and Search Settings. I will have you run a scan toward the end to make sure we got it all. Check Add/Remove Programs and remove the YouTube Downloaded Toolbar if there. Then use Windows Explorer to delete the program folder.
======================
Please update the following:
Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
Adobe Reader > Current is vX(10.xx)> Adobe Reader Update
Java(TM) > Current is no v7u4. Java Updates .
Uninstall any earlier versions in of both as they are vulnerabilities for the system.
======================
I have OTM set up again. Let me know if the processes are running so I can put them in the correct section.
 
Ok, looks like I did not run into any hiccups this time. :)

To answer your question about the CNET programs, I am not currently using them. So do with them what you will as I would not be upset if we ended up installing them if we need to. (I had use for them a while ago.)

Thanks for the secured/not secured explanation. I thought it was strange because I was just going to www.google.com and didn't realize that it was a secure site. However, I then noticed that I was signed into google. I proceeded to sign out of google and the "unsecure content" warning stopped surfacing. (I was wondering if maybe it was part of the virus.)

ComboFix ran and the log is at the end of the post.

I used the Add/Remove programs to uninstall the toolbar but was unable to find the program folder. (Maybe the uninstall removed it?) Also, the latest versions of Java and Adobe Reader are now installed. With Java I found an earlier version of Java that I uninstalled but with Adobe Reader I did not find an earlier version installed. Also, when looking throught the Add/Remove programs I did find JavaFX 2.1.0. Do I need to remove that as well?

ComboFix Log:

ComboFix 12-05-28.01 - Buddy Lee 05/29/2012 20:04:20.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2726 [GMT -4:00]
Running from: c:\documents and settings\Buddy Lee\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Buddy Lee\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Buddy Lee\Application Data\Search Settings
c:\program files\Application Updater
c:\program files\Application Updater\ApplicationUpdater.exe
c:\program files\Application Updater\config.ini
c:\program files\Common Files\Spigot
c:\program files\Common Files\Spigot\Search Settings\baidu_ff.xml
c:\program files\Common Files\Spigot\Search Settings\baidu_ie.xml
c:\program files\Common Files\Spigot\Search Settings\config.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1031.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1033.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1034.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1036.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1040.ini
c:\program files\common files\spigot\search settings\SearchSettings.exe
c:\program files\Common Files\Spigot\Search Settings\wth.dll
c:\program files\Common Files\Spigot\Search Settings\yahoo_ff.xml
c:\program files\Common Files\Spigot\Search Settings\yahoo_ie.xml
c:\program files\Common Files\Spigot\Search Settings\yandex_ff.xml
c:\program files\Common Files\Spigot\Search Settings\yandex_ie.xml
c:\program files\Common Files\Spigot\wtxpcom\chrome.manifest
c:\program files\Common Files\Spigot\wtxpcom\components\chrome.manifest
c:\program files\Common Files\Spigot\wtxpcom\components\IFBHOHelperWidgiToolbar.xpt
c:\program files\Common Files\Spigot\wtxpcom\components\IFBHOWidgiToolbar.xpt
c:\program files\Common Files\Spigot\wtxpcom\components\install.rdf
c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll
c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.10
c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.11
c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.12
c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.13
c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.14
c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.5
c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.6
c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.7
c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.8
c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.9
c:\program files\Common Files\Spigot\wtxpcom\install.rdf
c:\program files\YouTube Downloader Toolbar
c:\program files\YouTube Downloader Toolbar\FF\chrome.manifest
c:\program files\YouTube Downloader Toolbar\FF\chrome\chrome.jar
c:\program files\YouTube Downloader Toolbar\FF\install.rdf
c:\program files\YouTube Downloader Toolbar\IE\5.8\config.ini
c:\program files\youtube downloader toolbar\ie\5.8\youtubedownloaderToolbarIE.dll
c:\program files\YouTube Downloader Toolbar\Res\amazon.gif
c:\program files\YouTube Downloader Toolbar\Res\dailymotion.gif
c:\program files\YouTube Downloader Toolbar\Res\dropinsavings.gif
c:\program files\YouTube Downloader Toolbar\Res\dropinsavingsabt.gif
c:\program files\YouTube Downloader Toolbar\Res\ebay.gif
c:\program files\YouTube Downloader Toolbar\Res\facebook.gif
c:\program files\YouTube Downloader Toolbar\Res\googleplus.gif
c:\program files\YouTube Downloader Toolbar\Res\hulu.gif
c:\program files\YouTube Downloader Toolbar\Res\icon_settings.gif
c:\program files\YouTube Downloader Toolbar\Res\Lang\res1031.ini
c:\program files\YouTube Downloader Toolbar\Res\Lang\res1033.ini
c:\program files\YouTube Downloader Toolbar\Res\Lang\res1034.ini
c:\program files\YouTube Downloader Toolbar\Res\Lang\res1036.ini
c:\program files\YouTube Downloader Toolbar\Res\Lang\res1040.ini
c:\program files\YouTube Downloader Toolbar\Res\metacafe.gif
c:\program files\YouTube Downloader Toolbar\Res\radio-close.gif
c:\program files\YouTube Downloader Toolbar\Res\radio-minimize.gif
c:\program files\YouTube Downloader Toolbar\Res\radiobeta.gif
c:\program files\YouTube Downloader Toolbar\Res\search-button-hover.gif
c:\program files\YouTube Downloader Toolbar\Res\search-button.gif
c:\program files\YouTube Downloader Toolbar\Res\search-chevron-hover.gif
c:\program files\YouTube Downloader Toolbar\Res\search-chevron.gif
c:\program files\YouTube Downloader Toolbar\Res\search_amazon.gif
c:\program files\YouTube Downloader Toolbar\Res\search_baidu.gif
c:\program files\YouTube Downloader Toolbar\Res\search_ebay.gif
c:\program files\YouTube Downloader Toolbar\Res\search_yahoo.gif
c:\program files\YouTube Downloader Toolbar\Res\search_yandex.gif
c:\program files\YouTube Downloader Toolbar\Res\search_youtube.gif
c:\program files\YouTube Downloader Toolbar\Res\twitter.gif
c:\program files\YouTube Downloader Toolbar\Res\veoh.gif
c:\program files\YouTube Downloader Toolbar\Res\widgets.xml
c:\program files\YouTube Downloader Toolbar\Res\youtube.gif
c:\program files\YouTube Downloader Toolbar\Res\ytd.gif
c:\program files\YouTube Downloader Toolbar\Res\ytd_logo.gif
c:\program files\YouTube Downloader Toolbar\Res\ytd_logo_hover.gif
c:\program files\YouTube Downloader Toolbar\WidgiHelper.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_Application_Updater
-------\Legacy_Application_Updater
-------\Service_Application Updater
-------\Service_Application Updater
.
.
((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-30 )))))))))))))))))))))))))))))))
.
.
2012-05-29 23:51 . 2012-05-08 16:406737808----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{14ACBC3D-9079-4E34-B395-85248A5F0E45}\mpengine.dll
2012-05-29 01:30 . 2012-05-29 01:30--------d-----w-C:\_OTM
2012-05-29 01:24 . 2012-05-29 01:243584----a-r-c:\documents and settings\Buddy Lee\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2012-05-29 01:24 . 2012-05-29 01:24--------d-----w-c:\program files\Windows Installer Clean Up
2012-05-29 01:24 . 2012-05-29 01:24--------d-----w-c:\program files\MSECACHE
2012-05-28 14:09 . 2012-05-28 14:09--------d-----w-c:\program files\ESET
2012-05-28 14:07 . 2012-05-08 16:406737808----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-27 14:44 . 2012-05-27 14:44--------d-----w-c:\documents and settings\Buddy Lee\Local Settings\Application Data\{61292E35-A7F7-11E1-8270-B8AC6F996F26}
2012-05-27 12:27 . 2012-05-27 12:27--------d-----w-c:\documents and settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}
2012-05-18 20:57 . 2012-05-18 20:57--------d-----w-c:\documents and settings\UpdatusUser
2012-05-18 20:55 . 2012-02-29 23:58881984----a-w-c:\windows\system32\nvgenco32.dll
2012-05-18 20:55 . 2012-02-29 23:581000256----a-w-c:\windows\system32\nvdispco32.dll
2012-05-18 16:06 . 2012-05-18 16:06--------d-----w-c:\documents and settings\Buddy Lee\Application Data\DDMSettings
2012-05-16 03:48 . 2012-05-16 10:20--------d-----w-c:\program files\Diablo III
2012-05-16 03:45 . 2012-05-16 03:45--------d-----w-c:\documents and settings\All Users\Application Data\Battle.net
2012-05-11 03:48 . 2012-05-11 03:49--------d-----w-c:\documents and settings\Administrator
2012-05-11 02:17 . 2012-05-11 02:17--------d-----w-c:\documents and settings\Buddy Lee\Local Settings\Application Data\Citrix
2012-05-04 20:39 . 2012-05-04 20:39419488----a-w-c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-30 00:17 . 2009-12-06 22:0624944----a-w-c:\windows\system32\drivers\GVTDrv.sys
2012-05-30 00:17 . 2009-12-06 22:0617488----a-w-c:\windows\gdrv.sys
2012-05-04 20:39 . 2011-06-07 13:1570304----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14 . 2002-08-28 23:042148352----a-w-c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2002-08-29 00:141862272----a-w-c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2002-08-29 01:042026496----a-w-c:\windows\system32\ntkrnlpa.exe
2012-04-04 19:56 . 2011-03-24 00:3522344----a-w-c:\windows\system32\drivers\mbam.sys
2012-03-21 00:44 . 2010-10-25 01:25171064----a-w-c:\windows\system32\drivers\MpFilter.sys
2012-03-03 04:53 . 2009-12-06 22:0617488----a-w-c:\windows\etdrv.sys
2012-03-01 11:01 . 2002-08-29 01:411469440------w-c:\windows\system32\inetcpl.cpl
2012-03-01 11:01 . 2002-08-29 01:41916992----a-w-c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2002-08-29 01:4143520----a-w-c:\windows\system32\licmgr10.dll
2011-07-08 07:16 . 2011-07-24 05:42142296----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-28_14.02.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-30 00:16 . 2012-05-30 00:1616384 c:\windows\Temp\Perflib_Perfdata_618.dat
+ 2012-05-30 00:17 . 2012-05-30 00:1716384 c:\windows\Temp\Perflib_Perfdata_5ec.dat
+ 2012-05-30 00:16 . 2012-05-30 00:1616384 c:\windows\Temp\Perflib_Perfdata_590.dat
+ 2001-08-23 12:00 . 2012-05-29 23:4581358 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2012-05-28 13:4981358 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2012-05-29 23:45466778 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2012-05-28 13:49466778 c:\windows\system32\perfh009.dat
+ 2012-05-29 01:24 . 2012-05-29 01:24472064 c:\windows\Installer\2e884d.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\documents and settings\Buddy Lee\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-05-08 3331872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-08-13 357384]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-08-13 1573384]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-08-13 3161608]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-30 19523616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-29 15494464]
"NvMediaCenter"="NvMCTray.dll" [2012-02-29 108352]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-02-29 1634112]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 22:3636864------r-c:\windows\RaidTool\xInsIDE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg9wd"=2 (0x2)
"avg9emc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\defcon\\defcon.exe"=
"c:\\Program Files\\Games\\Counter-Strike Source\\hl2.exe"=
"c:\\Program Files\\Games\\Flatout2-DVD\\FlatOut2.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\Buddy Lee\\Desktop\\WoW Test\\World of Warcraft\\Repair.exe"=
"c:\\Documents and Settings\\Buddy Lee\\Desktop\\WoW Test\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Buddy Lee\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Documents and Settings\\Buddy Lee\\Desktop\\WoW Test\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Activision\\Blur(TM)\\Blur.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Portal 2\\portal2.exe"=
"c:\\AeriaGames\\EdenEternal\\_Launcher.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\duke nukem forever demo\\System\\DukeForeverDemo.exe"=
"c:\\Documents and Settings\\Buddy Lee\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\launcher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\orcs must die!\\build\\release\\OrcsMustDie.exe"=
"c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\betatest\\retailclient\\swtor.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\magic 2012 demo\\Magic_2012.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Buddy Lee\\Local Settings\\Apps\\2.0\\V5MX5KZZ.1XK\\ZEL7LV1A.0XR\\curs..tion_eee711038731a406_0004.0000_2bd39706d04e72c8\\CurseClient.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.524\\Agent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.954\\Agent.exe"=
"c:\\Program Files\\Diablo III\\Diablo III.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.976\\Agent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"57608:TCP"= 57608:TCP:*:Disabled:pando Media Booster
"57608:UDP"= 57608:UDP:*:Disabled:pando Media Booster
"58162:TCP"= 58162:TCP:*:Disabled:pando Media Booster
"58162:UDP"= 58162:UDP:*:Disabled:pando Media Booster
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6885:TCP"= 6885:TCP:League of Legends Launcher
"6885:UDP"= 6885:UDP:League of Legends Launcher
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [4/30/2011 10:27 AM 218688]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/23/2001 8:00 AM 14336]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [12/5/2009 5:20 PM 68136]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [5/18/2012 4:57 PM 2348352]
R3 AODDriver;AODDriver;c:\program files\GIGABYTE\ET6\i386\AODDriver.sys [2/23/2009 1:16 AM 7168]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [12/6/2009 6:06 PM 24944]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [7/14/2009 4:35 PM 19720]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/5/2009 5:23 PM 1691480]
S3 etdrv;etdrv;c:\windows\etdrv.sys [12/6/2009 6:06 PM 17488]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
AkamaiREG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-29 c:\windows\Tasks\AdobeAAMUpdater-1.0-APEVIA-Buddy Lee.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-27 08:44]
.
2012-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2010-03-27 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1100 series272A572217594EBCF1CEE215E352B92AD073FDE4260471350.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
2012-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1364589140-839522115-1003Core.job
- c:\documents and settings\Buddy Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-06 08:09]
.
2012-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1364589140-839522115-1003UA.job
- c:\documents and settings\Buddy Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-06 08:09]
.
2012-05-29 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Buddy Lee\Application Data\Mozilla\Firefox\Profiles\xmqrti8r.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-29 20:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_80c2ffa.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-746137067-1364589140-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:fc,95,3b,54,93,42,d1,d6,a6,d4,2b,fe,61,86,4f,74,e3,2a,b8,29,bb,
e0,cc,45,2f,84,2b,f4,d0,b6,fd,1d,77,61,77,7c,f6,08,6e,be,f3,0c,04,3e,d6,c5,\
"rkeysecu"=hex:f6,73,5d,ec,09,43,10,ab,85,ec,04,41,ad,f0,c5,d7
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2872)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\GIGABYTE\ET6\GUI.exe
c:\windows\system32\RunDLL32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-05-29 20:20:31 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-30 00:20
ComboFix2.txt 2012-05-28 14:03
.
Pre-Run: 382,268,194,816 bytes free
Post-Run: 382,160,887,808 bytes free
.
- - End Of File - - 3A7A51E9E53C635D2C8CA191E4A031DC
 
Edit: Run Bootkit Scan in my Reply #12 first.

Let's go ahead and handle these:

How to disable this service:

Open a command prompt. (Run a command prompt as Administrator in Windows vista/7)
Copy command line and Paste.


Code: 
sc stop "avg9wd"
sc config "avg9wd" start= disabled
sc delete "avg9wd"


Done.!
Close the command prompt. [/CODE]
==============================================
Please run OTM again, to make sure whatever Eset found has been handled. I've corrected the code:
Please download OTMovit by Old Timerand save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :Files
C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\n
C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exe
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exe
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exe
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exe
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exe
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exe
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
--------------------------------------
Let's make sure malware isn't hiding in a process:

Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
When scan has finished, you will see this image:
scan-finished.jpg

  • Click on OK to close box and continue.
  • Click on the Show Results button.
  • Click on the Remove Selected button to remove all the listed malware.
  • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
 
Edit: Run Bootkit Scan in my Reply #12 first

I will go ahead and try these items later today. However, I must warn you that last night I lost my phone and DSL service. I have contacted the phone company and they have stated that I am part of a "group outtage" that may not be fixed until Friday. However, I believe that I may be having some other issues with the DSL lines that may take more time to fix. You may be wondering why I am telling you this... I just wanted you to know this in case I am unable to perform any of these tasks for a few days until my Internet Connection has been restablished. However until that happens I will do what steps I can (without going out of order) and update you either thruogh work or my phone's internet. I just don't this thread to get closed on me if the phone company is slow to fix the issue.

Thank you for your patience with this matter.

I did have one other question. While I am going through the virus/malware removal process, I have been disabling and my internet connection (via Network Connections) when I am done following your steps and just reactivating it when I know you have more for me to do. Should I keep doing this to try and keep my PC quarantined and offline until we are sure that is has been cleaned or am I being too cautious about it?
 
Thank you for the update- writing note to myself to keep open.

You do not need to disconnect from the internet in general. If you need to run in other than Normal Mode, I will advise you.
=====================================
DO FIRST:
I missed an entry in GMER. Before you run the previous scans I left, please do the following first:

Bootkit Remover:

Download Bootkit Remover.zip and save to your desktop.
  1. Extract the remover.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
  2. Double-click on the remover.exe file to run the program.
    (Vista/7 users,right click on remover.exe and click Run As Administrator.)
  3. You will see a black screen with data
  4. Right click on the screen and click Select All.
  5. Press CTRL+C
  6. Open a Notepad and press CTRL+V
  7. Paste the output in your next reply.
=====================================
 
Thanks for understanding about my internet situation, I really appreciate it and will keep you updated.

So it looks like I will be following the scan in Reply #12 first (Bootkit Remover) and THEN go back and then follow the instructions in #10. Gotcha. Do you want me to post the log from the Bootkit Remover before proceeding to the instructions in #10? Or can I just follow #12 and then go right into #10?
 
Well it looks like they fixed my phone and DSL sooner than I had thought! Ok I ran through the steps (doing the Bootkit Remover step first) and here are my results:

Bootkit Log:

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...


Command Prompt (I grabbed this stuff since I'm not sure if it worked):

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Buddy Lee>sc stop "avg9wd"
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\Documents and Settings\Buddy Lee>sc config "avg9wd" start= disabled
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


C:\Documents and Settings\Buddy Lee>sc delete "avg9wd"
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


OTMovit Log:

All processes killed
========== FILES ==========
C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\n moved successfully.
C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul moved successfully.
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exe moved successfully.
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exe moved successfully.
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exe moved successfully.
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exe moved successfully.
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exe moved successfully.
C:\Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 562 bytes

User: All Users

User: Buddy Lee
->Temp folder emptied: 753061 bytes
->Temporary Internet Files folder emptied: 3194833 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 45156242 bytes
->Flash cache emptied: 1016 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 6818 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 23593 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 17181247 bytes

Total Files Cleaned = 63.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 05302012_194856

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_74.dat not found!

Registry entries deleted on Reboot...


MBAM Log:
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.30.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Buddy Lee :: APEVIA [limited]

5/30/2012 7:58:14 PM
mbam-log-2012-05-30 (19-58-14).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 598618
Time elapsed: 2 hour(s), 14 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\n (Backdoor.Agent.Gen) -> Quarantined and deleted successfully.

(end)
 
The only odd thing that happened during the MBAM run was that my MSE kicked up a warning that it had detected a threat when just about when MBAM had it's detection. (Since my system was online, the MSE real time protection wasn't disabled.) If this will cause an issue I can re-run the MBAM after turning off MSE's real time protection.

Also, I had a qquestion about Java. In an earlier step, you had me remove the older versions of it but I had come across JavaFX 2.1.0. Do I need to remove that as well?
 
The JavaFX is for Linux Developer. You may have downloaded it by mistake. If you're asking me about it, then I don't think it was intentional. Check here, then remove: http://docs.oracle.com/javafx/2/release_notes_linux/jfxpub-release_notes_linux.htm

Bootkit scan is okay. AVG Services must have been removed although they were still in Combofix.

You are getting reinfected from a file- but I can't identify it:

Previously found and removed:
C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\n (Backdoor.Agent.Gen) -> Quarantined and deleted successfully.
Click to expand...
In the current Mbam log- again:
C:\Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
Click to expand...

This may be from a flashplayer object you got through the YouTube Toolbar. You can try doing a search for the file, showing hidden files and folders:

Right click on Start> Explore> do the following from within Windows Explorer:

Show Hidden Folders/Files
Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.

Open Search> Set the Search for your doc & settings> Appdata> look for>>

Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505}

Do a right click> Delete if found. Then go an empty the Recycle Bin. Reset Hidden/System Files & Folders
 
Ok. I found and deleted the Documents and Settings\Buddy Lee\Local Settings\Application Data\{2f1cbfb4-f416-fa3a-0185-147727087505} folder (and them emptied the recycling bin).

Oh, on a side note, I was updating the Java on another PC to the latest version and when it installed version 7 update 4, it also installed JavaFX 2.1.0. Just thought I'd let you know.
 
Well a little while after doing the step above, I tried doing a random search on google (because I had to reset my modem). When I went to click on the first link in the search results, Chrome stopped me stating something like that the website contained malware (sorry that I did jot the address down) but I know that it wasn't the site listed on the result I clicked on because I am familiar with that site.
 
I went ahead with my own update to see what was happening. When I got JavaFX also, I went looking for why:

Regarding Java: A learning experience for both of us:
In addition, as part of the Java 7 release, the Java Development Kit (JDK) now includes the SDK for developing JavaFX applications and, more importantly, the JavaFX Runtime is now installed with the JRE. As well as bug fixes, the bundled JavaFX release, version 2.0.2, includes some important updates, such as interoperability with the Standard Widget Toolkit (SWT), and a change of license, which enables third party developers to redistribute the JavaFX Runtime with their applications in accordance with the Oracle Binary Code License Agreement for the Java SE Platform Products and JavaFX (pdf document).
Click to expand...
Full article: http://www.infoq.com/news/2011/12/javafx-java7
==============================================

Please update and run a new scan with Eset so we can make sure the file is gone.
 
Hello again.

I had 2 quick questions about the Eset scan before I run it.

1.) Should I be disabling the real-time protection of MSE while Eset is running?
2.) Should I have the "Remove Threats" option checked or unchecked when scanning with Eset? (I know in previous set of directions you had me remove the check.)

Thanks.
 
Hello. Here is the Eset scan log.

C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372442.rbfa variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372443.rbfa variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP781\A0372458.rbfprobably a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP798\A0383308.msia variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412141.exea variant of Win32/InstallCore.T application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412142.exea variant of Win32/InstallIQ application
C:\System Volume Information\_restore{2B9E1DD6-FB66-4A05-9F5D-8CA5F8415DB5}\RP820\A0412143.exea variant of Win32/InstallIQ application
C:\_OTM\MovedFiles\05282012_213059\C_Documents and Settings\All Users\Application Data\YouTube Downloader\ytd_installer.exeWin32/Toolbar.Widgi application
C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\Local Settings\Application Data\{6128FC19-A7F7-11E1-8270-B8AC6F996F26}\chrome\content\browser.xulJS/Redirector.NIQ trojan
C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_acaladvdripperprose_exe.exea variant of Win32/InstallCore.D application
C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_avc-free_exe.exea variant of Win32/InstallCore.D application
C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\My Documents\Downloads\cnet2_dvdripper-adownload_exe.exea variant of Win32/InstallCore.D application
C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_Pazera_Free_MOV_to_AVI_Converter_zip.exea variant of Win32/InstallCore.D application
C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\My Documents\Downloads\cnet_SVC3_zip.exea variant of Win32/InstallCore.D application
C:\_OTM\MovedFiles\05302012_194856\C_Documents and Settings\Buddy Lee\My Documents\Downloads\YouTubeDownloaderSetup34.exea variant of Win32/Toolbar.Widgi application
 
Okay, good job! Nothing new. System Volume is for restore points and they will be remove at the end of cleaning. OTMMoveFiles are those that were found previously and have now been handled!

No current, active malware showing.

How is the system doing now?
 
Well the system is acting fine (and I am really glad you got rid of the stray AVG process). Other than the one redirect that I mentioned a few replies back my system has been acting fine except for the fact that MSE was alerting me to threats that it was finding. If I look at the MSE history, the last 2 items found (and quarantined) were on 5/30 (which were Sirefef.AM and Meredrop) but I have been pretty much not using my system during the cleaning process. So, overall the system is running fine. :)
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
804
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back