Solved Software found trojans, but said it couldn't find to delete. Ran 5 step

Status
Not open for further replies.
Before I forget- again- you don't need WinZip or 7Zip on Windows XP. It has a built inj decompresser (unzipper). You just follow a direction to download the zip file and sve to the desktop. Then you double click on that saved file and XP will ask if you want to Extract All Files? A Yes then extract all of the files and you click on the particular file for the direction given.

Another tip: If using a laptop:
Click on Start> Settings> Control Panel> Power Options> Advanced tab> Power Buttons:

Set 'Close the lid' to Standby
Set 'Press power button' to Shut Down
Set 'Press the Sleep button' to Standby

The Standby setting will save whatever you're working on right on the screen. When you reopen, system will connect to internet again and you can continue with your work.

A Caution: IF you are working on something like a long document that you don't want to take a chance on losing, click on File> Save As> make location Desktop> Give file a name. Then if the power should go out, you still have the work saved and can add to it and close lid again by clicking File> Save (not Save As- that's just the first time.

Standby is a lower power setting, but keeps the work on the screen.
==================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
c:\documents and settings\All Users\Application Data\1328289714.3736.bin
c:\documents and settings\All Users\Application Data\1328296496.bdinstall.bin
c:\documents and settings\All Users\Application Data\1328289714.1384.bin
c:\documents and settings\All Users\Application Data\1328289714.2480.bin
c:\documents and settings\All Users\Application Data\1328289714.640.bin
c:\documents and settings\All Users\Application Data\1328289714.3816.bin
c:\documents and settings\All Users\Application Data\1328289714.3804.bin
c:\documents and settings\All Users\Application Data\1328289714.2128.bin
c:\documents and settings\All Users\Application Data\1328289714.496.bin

DDS::
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
{6d53ec84-6aae-4787-aeee-f4628f01010c}
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

Clearjavacache::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Please try running the Eset scan again.
 
combo fix text file

ComboFix 12-02-23.01 - HP_Owner 02/25/2012 14:00:41.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2382 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: Bitdefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.
FILE ::
"c:\documents and settings\All Users\Application Data\1328289714.1384.bin"
"c:\documents and settings\All Users\Application Data\1328289714.2128.bin"
"c:\documents and settings\All Users\Application Data\1328289714.2480.bin"
"c:\documents and settings\All Users\Application Data\1328289714.3736.bin"
"c:\documents and settings\All Users\Application Data\1328289714.3804.bin"
"c:\documents and settings\All Users\Application Data\1328289714.3816.bin"
"c:\documents and settings\All Users\Application Data\1328289714.496.bin"
"c:\documents and settings\All Users\Application Data\1328289714.640.bin"
"c:\documents and settings\All Users\Application Data\1328296496.bdinstall.bin"
.
.
((((((((((((((((((((((((( Files Created from 2012-01-25 to 2012-02-25 )))))))))))))))))))))))))))))))
.
.
2012-02-22 07:36 . 2012-02-22 07:36 341547 ----a-w- c:\documents and settings\All Users\Application Data\1329894479.bdinstall.bin
2012-02-22 07:29 . 2012-02-22 07:29 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Bitdefender
2012-02-22 07:27 . 2012-02-22 07:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Bitdefender
2012-02-22 07:11 . 2012-02-22 07:11 -------- d-----w- c:\program files\Bitdefender
2012-02-22 07:08 . 2011-08-16 20:59 360976 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2012-02-22 07:08 . 2011-10-27 21:07 340624 ----a-w- c:\windows\system32\drivers\trufos.sys
2012-02-22 06:57 . 2012-02-22 07:08 -------- d-----w- c:\program files\Common Files\Bitdefender
2012-02-17 22:57 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-17 22:57 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-02-03 19:17 . 2012-02-03 19:17 172523 ----a-w- c:\documents and settings\All Users\Application Data\1328296496.bdinstall.bin
2012-02-03 17:48 . 2012-02-03 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\BDLogging
2012-02-03 17:47 . 2012-02-03 17:48 1249 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.240.bin
2012-02-03 17:31 . 2012-02-03 17:31 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\QuickScan
2012-02-03 17:28 . 2012-02-03 17:48 69417 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.3736.bin
2012-02-03 17:28 . 2012-02-03 17:28 4510 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.1384.bin
2012-02-03 17:27 . 2012-02-03 17:28 4510 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.2480.bin
2012-02-03 17:27 . 2012-02-03 17:32 6209 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.640.bin
2012-02-03 17:27 . 2012-02-03 17:30 1698 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.3816.bin
2012-02-03 17:27 . 2012-02-03 17:30 1670 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.3804.bin
2012-02-03 17:22 . 2012-02-03 17:48 179008 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.2128.bin
2012-02-03 17:21 . 2012-02-03 17:33 43518 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.496.bin
2012-02-02 04:14 . 2012-02-02 04:14 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\GFI Software
2012-02-02 04:14 . 2012-02-02 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\GFI Software
2012-02-02 04:13 . 2012-02-02 04:13 -------- d-----w- c:\program files\GFI Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 17:16 . 2012-01-25 17:16 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-01-19 00:15 . 2012-01-19 00:15 446696 ----a-w- c:\windows\system32\drivers\avckf.sys
2012-01-19 00:15 . 2012-01-19 00:15 609984 ----a-w- c:\windows\system32\drivers\avc3.sys
2012-01-12 16:53 . 2004-08-04 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\Bitdefender\Bitdefender 2012\bdagent.exe" [2012-01-24 1184640]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2009-12-09 136744]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-3-8 27136]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA .sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 03:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 14:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2009-08-04 08:49 318096 ----a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2009-08-15 19:39 122368 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-15 17:53 136176 ----atw- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2005-09-21 17:41 1605740 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
2005-06-02 06:35 49152 ----a-w- c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2006-07-07 23:15 600896 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 16:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 08:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2006-07-07 23:14 576320 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 22:44 61440 ----a-w- c:\hp\KBD\kbd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2006-11-03 17:01 319488 ----a-w- c:\windows\PixArt\Pac7311\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-08-02 15:30 7110656 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 21:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QwestTouchPointAgent]
2010-08-27 03:59 45992 ----a-w- c:\program files\Qwest\Desktop\QwestTouchPointAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 11:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-04-13 00:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-12-09 20:21 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 avc3;avc3;c:\windows\system32\drivers\avc3.sys [1/18/2012 5:15 PM 609984]
R1 BDVEDISK;BDVEDISK;c:\windows\system32\drivers\bdvedisk.sys [1/19/2010 6:32 PM 85128]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [1/5/2012 3:43 PM 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [1/25/2012 10:16 AM 71440]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [6/1/2010 10:13 AM 67584]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [1/25/2012 10:16 AM 931640]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 11:02 AM 1213728]
R2 UPDATESRV;BitDefender Desktop Update Service;c:\program files\Bitdefender\Bitdefender 2012\updatesrv.exe [1/23/2012 7:23 PM 50128]
R3 avchv;avchv Function Driver;c:\windows\system32\drivers\avchv.sys [11/25/2011 1:59 PM 240184]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [8/10/2011 8:43 PM 21520]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/4/2010 5:51 PM 135664]
S3 avckf;avckf;c:\windows\system32\drivers\avckf.sys [1/18/2012 5:15 PM 446696]
S3 bdsandbox;bdsandbox;c:\windows\system32\drivers\bdsandbox.sys [11/17/2011 4:38 PM 63056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/4/2010 5:51 PM 135664]
S3 PAC7311;VGA USB Camera;c:\windows\system32\drivers\PA707UCM.SYS [10/18/2005 10:48 AM 530304]
S3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\drivers\PAEAFLT.sys [10/4/2009 4:45 PM 8576]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [1/25/2012 10:16 AM 56208]
S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [1/25/2012 10:16 AM 164112]
S3 Update Server;BitDefender Update Server v2;c:\program files\Common Files\Bitdefender\Bitdefender Arrakis Server\bin\arrakis3.exe [10/14/2011 10:57 PM 307544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-14 18:37]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-05 00:50]
.
2012-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-05 00:50]
.
2012-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1443124371-554635790-1783820382-1009Core.job
- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-07 17:53]
.
2012-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1443124371-554635790-1783820382-1009UA.job
- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-07 17:53]
.
2012-02-25 c:\windows\Tasks\User_Feed_Synchronization-{D0071EE4-C26E-4CD4-BCDB-A08837CC3708}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
DPF: {64CEA9F9-7116-4ECA-A905-FA3EA28BD0FE} - hxxp://www.tripadvisor.com/cab/wabparser.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-25 14:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3712)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-02-25 14:27:08
ComboFix-quarantined-files.txt 2012-02-25 21:26
ComboFix2.txt 2012-02-23 20:42
.
Pre-Run: 112,712,814,592 bytes free
Post-Run: 112,697,618,432 bytes free
.
- - End Of File - - CED8EA3B78C38445A1698BC613F34A0A
 
Okay, we need to check on the status of the AV:

1). Originally, there were processes for both Kaspersky and Bitdefender AV: dates were:
2012-02-03 19:24 -------- d-----w- c:\program files\Kaspersky Lab
2012-02-03 17:28 -------- d-----w- c:\program files\Bitdefender
2). But Bitdefender was showing as 'outdated.'
3). Since Kaspersky was still in 'trial', you decided to remove it and keep BitDefender.
4). At some point, you decided to uninstall then reinstall BitDefender, rather than just update it which I think was done on 2/22/2012.
The Combofix log of 2/22/2012 later shows AV: Bitdefender Antivirus *Disabled/Updated*
5). And there were multiple .bin files, like this:
2012-02-03 17:48 69417 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.3736.bin
which I thought were from BitDefender, but they shouldn't be .bin files, which may indicate they were burned, not updated online.
I removed the .bin files in the CScript, but they recurred in the Combofix log of 2/22/2012.
-------------------------So>>
I need to take a look at one of the .bin files:

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

Code: 
File::
FileLook::
c:\documents and settings\All Users\Application Data\1328289714.3736.bin
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
You can also tell me the source of the recent Bitdefender.
 
Bit text file from

ComboFix 12-02-23.01 - HP_Owner 02/27/2012 14:06:32.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2553 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: Bitdefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-27 to 2012-02-27 )))))))))))))))))))))))))))))))
.
.
2012-02-22 07:36 . 2012-02-22 07:36 341547 ----a-w- c:\documents and settings\All Users\Application Data\1329894479.bdinstall.bin
2012-02-22 07:29 . 2012-02-22 07:29 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Bitdefender
2012-02-22 07:27 . 2012-02-22 07:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Bitdefender
2012-02-22 07:11 . 2012-02-22 07:11 -------- d-----w- c:\program files\Bitdefender
2012-02-22 07:08 . 2011-08-16 20:59 360976 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2012-02-22 07:08 . 2011-10-27 21:07 340624 ----a-w- c:\windows\system32\drivers\trufos.sys
2012-02-22 06:57 . 2012-02-22 07:08 -------- d-----w- c:\program files\Common Files\Bitdefender
2012-02-17 22:57 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-17 22:57 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-02-03 19:17 . 2012-02-03 19:17 172523 ----a-w- c:\documents and settings\All Users\Application Data\1328296496.bdinstall.bin
2012-02-03 17:48 . 2012-02-03 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\BDLogging
2012-02-03 17:47 . 2012-02-03 17:48 1249 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.240.bin
2012-02-03 17:31 . 2012-02-03 17:31 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\QuickScan
2012-02-03 17:28 . 2012-02-03 17:48 69417 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.3736.bin
2012-02-03 17:28 . 2012-02-03 17:28 4510 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.1384.bin
2012-02-03 17:27 . 2012-02-03 17:28 4510 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.2480.bin
2012-02-03 17:27 . 2012-02-03 17:32 6209 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.640.bin
2012-02-03 17:27 . 2012-02-03 17:30 1698 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.3816.bin
2012-02-03 17:27 . 2012-02-03 17:30 1670 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.3804.bin
2012-02-03 17:22 . 2012-02-03 17:48 179008 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.2128.bin
2012-02-03 17:21 . 2012-02-03 17:33 43518 ----a-w- c:\documents and settings\All Users\Application Data\1328289714.496.bin
2012-02-02 04:14 . 2012-02-02 04:14 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\GFI Software
2012-02-02 04:14 . 2012-02-02 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\GFI Software
2012-02-02 04:13 . 2012-02-02 04:13 -------- d-----w- c:\program files\GFI Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 17:16 . 2012-01-25 17:16 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-01-19 00:15 . 2012-01-19 00:15 446696 ----a-w- c:\windows\system32\drivers\avckf.sys
2012-01-19 00:15 . 2012-01-19 00:15 609984 ----a-w- c:\windows\system32\drivers\avc3.sys
2012-01-12 16:53 . 2004-08-04 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\documents and settings\All Users\Application Data\1328289714.3736.bin ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 69417
Created time: 2012-02-03 17:28
Modified time: 2012-02-03 17:48
MD5: 3B7FC2992EDBBDEEE6FA91502F998CF9
SHA1: 9947415EB41A62BF30DE4EF2270F7B723A6DA91A
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-23_20.35.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-27 20:06 . 2012-02-27 20:06 16384 c:\windows\Temp\Perflib_Perfdata_1a4.dat
- 2005-06-25 05:32 . 2012-02-23 18:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-06-25 05:32 . 2012-02-27 20:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-06-24 22:25 . 2012-02-27 20:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-06-24 22:25 . 2012-02-23 18:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-02-22 07:59 . 2012-02-27 20:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2012-02-22 07:59 . 2012-02-23 18:23 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\Bitdefender\Bitdefender 2012\bdagent.exe" [2012-01-24 1184640]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2009-12-09 136744]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-3-8 27136]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA .sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 03:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 14:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2009-08-04 08:49 318096 ----a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2009-08-15 19:39 122368 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-15 17:53 136176 ----atw- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2005-09-21 17:41 1605740 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
2005-06-02 06:35 49152 ----a-w- c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2006-07-07 23:15 600896 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 16:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 08:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2006-07-07 23:14 576320 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 22:44 61440 ----a-w- c:\hp\KBD\kbd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2006-11-03 17:01 319488 ----a-w- c:\windows\PixArt\Pac7311\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-08-02 15:30 7110656 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 21:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QwestTouchPointAgent]
2010-08-27 03:59 45992 ----a-w- c:\program files\Qwest\Desktop\QwestTouchPointAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 11:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-04-13 00:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-12-09 20:21 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 avc3;avc3;c:\windows\system32\drivers\avc3.sys [1/18/2012 5:15 PM 609984]
R1 BDVEDISK;BDVEDISK;c:\windows\system32\drivers\bdvedisk.sys [1/19/2010 6:32 PM 85128]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [1/5/2012 3:43 PM 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [1/25/2012 10:16 AM 71440]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [6/1/2010 10:13 AM 67584]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [1/25/2012 10:16 AM 931640]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 11:02 AM 1213728]
R2 UPDATESRV;BitDefender Desktop Update Service;c:\program files\Bitdefender\Bitdefender 2012\updatesrv.exe [1/23/2012 7:23 PM 50128]
R3 avchv;avchv Function Driver;c:\windows\system32\drivers\avchv.sys [11/25/2011 1:59 PM 240184]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [8/10/2011 8:43 PM 21520]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/4/2010 5:51 PM 135664]
S3 avckf;avckf;c:\windows\system32\drivers\avckf.sys [1/18/2012 5:15 PM 446696]
S3 bdsandbox;bdsandbox;c:\windows\system32\drivers\bdsandbox.sys [11/17/2011 4:38 PM 63056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/4/2010 5:51 PM 135664]
S3 PAC7311;VGA USB Camera;c:\windows\system32\drivers\PA707UCM.SYS [10/18/2005 10:48 AM 530304]
S3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\drivers\PAEAFLT.sys [10/4/2009 4:45 PM 8576]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [1/25/2012 10:16 AM 56208]
S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [1/25/2012 10:16 AM 164112]
S3 Update Server;BitDefender Update Server v2;c:\program files\Common Files\Bitdefender\Bitdefender Arrakis Server\bin\arrakis3.exe [10/14/2011 10:57 PM 307544]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RAPPORTIASO
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-14 18:37]
.
2012-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-05 00:50]
.
2012-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-05 00:50]
.
2012-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1443124371-554635790-1783820382-1009Core.job
- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-07 17:53]
.
2012-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1443124371-554635790-1783820382-1009UA.job
- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-07 17:53]
.
2012-02-27 c:\windows\Tasks\User_Feed_Synchronization-{D0071EE4-C26E-4CD4-BCDB-A08837CC3708}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
DPF: {64CEA9F9-7116-4ECA-A905-FA3EA28BD0FE} - hxxp://www.tripadvisor.com/cab/wabparser.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-27 14:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3292)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-02-27 14:32:51
ComboFix-quarantined-files.txt 2012-02-27 21:32
ComboFix2.txt 2012-02-25 21:27
ComboFix3.txt 2012-02-23 20:42
.
Pre-Run: 112,608,038,912 bytes free
Post-Run: 112,580,292,608 bytes free
.
- - End Of File - - 867D7AF4AA7CDC3B220E995659049C18
 
Bobbye- I deleted all the virus protections on my computer so I could start fresh and clean. I went to Bitdefenders.com site to get the download of the full version. I paid for it. Hope that helps and the last scan worked correctly. I never get why the txt file doesn't disappear when I drag and drop it in the combofix.exe. Thanks so much for all you do. My computer is working really good. I need to start using it soon for some banking business and reports I need to get done. I hope to get cleared for that soon! If you think it's safe now...do let me know.
 
For the next time> never remove all of your security and then go online! The second you connect, you are vulnerable!

I did not tell you not to work- just not run cleaning scans that I hadn't instructed you to do and not to install new programs.
It looks to me like you burned this:BitDefenderRescueCD_v2.0.0_5_10_2010.iso That would account for the .bin extension.
ISO - ISO binary image file - Binary image of CD/DVD in ISO 9660 standard, which defines a file system for CD-ROM media.
BIN - Binary disk image file - Binary file is often used as CD/DVD backup image files, file format is very similar to ISO.

Did you burn the Rescue CD when you downloaded BitDefender AV? Please see this:
http://www.bitdefender.com/support/How-to-create-a-Bitdefender-Rescue-CD-627.html

If you did, they should be on a USB Drive, not your hard drive.

Important! Please contact Bitdefender support and ask them what these files are- why .bin file extension:
"c:\documents and settings\All Users\Application Data\1328289714.1384.bin"
Even the install is .bin:
c:\documents and settings\All Users\Application Data\1328296496.bdinstall.bin

I had script for them to be removed in Combofix, but they were removed but came right back.

I had you do a FileLook so I could get info on what these .bin files are. Once you ran the script for this, I got the following information from it:
--- c:\documents and settings\All Users\Application Data\1328289714.3736.bin ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 69417
Created time: 2012-02-03 17:28
Modified time: 2012-02-03 17:48
MD5: 3B7FC2992EDBBDEEE6FA91502F998CF9
SHA1: 9947415EB41A62BF30DE4EF2270F7B723A6DA91A
Click to expand...
Actually, I got NO info as nothing is identified and I can't find anything matching the MD5.

This concerns me- I don't know what these files are or why they came back.
======================================
We have to get a virus scan: did you try Eset again? If not, please do so.
If you can't run it, try this one:
Run Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT and then Scan Settings
  • In the scan settings make that the following are selected:
    [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
    [o] Scan Options: Scan Archives> Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    [o] Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save as Text button and save the file to your desktop
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
=============================
Until I get an online virus scan and find out what the .bin files are, I cannot tell you the system is clean. But have a look at this thread from Kaspersky about the Exploit.Win32.CVE-2010-2568.gen you were concerned about:
http://forum.kaspersky.com/lofiversion/index.php/t229518.html
 
Sorry to confuse you. I kept the Windows firewall on and the Kapersky while I downloaded the new bitdefender from http://store.hermanstreet.com/dowload. When I first tried to dowload bitdefender it was from TLPY.CO*BITDEFENDER AN TRIALPAY.COM CA
COMPUTER SOFTWARE STORES. They issued a refund because I was never able to get it to run. That was in early February. When I was cleaning out all the old VPs-I deleted every file that I could find with any words that had bitdefender on it so i could start fresh. I never made a rescue disk that I recall. Usually I ask for those to me mailed if I need a back up of software. This computer we are fixing is an XP and not a laptop. I'll try the Eset again now and let you know.
 
Darn...I just realized that I didn't check the scan archive box and ESET is running on my computer right now. When it's finished, should I run the scan again correctly before sending you the file? Or, would you care to see both. THis assuming it works! If I don't hear back from you shortly--I'll send you both files.
 
This computer we are fixing is an XP and not a laptop
Click to expand...

Windows XP is an operating system, not a computer model. It can be installed on a desktop, laptop, netbook. If you are working on a desktop computer, just ignore the choice for 'shutting down the lid.' Make the Standby choices I gave you. Then you can set the time for the screen saver to come on. Your work will remain on the screen while the s/s rung and you can tap any key or more the mouse to bring it out of Standby.

I would appreciate it if you would use the Edit feature to add a small amount of text instead of making a new post. (Edit is only not to be used to leave logs.

Please run the Eset scan again, following all directions, especially to remove the check in the box to remove entries.
=============================
Again I direct you to contact Bitdefender support about the .bin files.
 
Well- I feel dumb. I know XP is an operating system! I meant XP on a desktop. It was early and I hadn't had my coffee yet. So very sorry. I've got an email in to BitDefender with all the info you gave me. The first ESET scan is still running 41% done. It is taking quite awhile. It says 0 infected files so far.
Whey you say the edit feature to add...Im confused. Is the quick reply alright for this kind of post?
I've used the edit feature when I remember something minutes later to add , but I dont see it as an option now. I use post reply when I'm adding new scan files , correct? Do you want a copy of both the scan files when I'm done?
 
When you look at your closed post. look to the lower right corner. You should see
newedit.gif


When you click on that, it opens the post and you can add the text. When you finish, click on the Save button, lower right.

If I have already replied to the post, you can't edit it. But if you remember something an hour later and I have not replied yet, you can edit and add what you wanted. The Edit feature does not send out another email feedback to me, but I would then see all the text when I brought your thread up.

Sorry to put you to all the trouble with those .bin entries, but they should be there and although the script did delete them, they came right back.
 
New information

I see what I was doing wrong. I was using your post as the spring board for my next reply instead of my last post. THinking Emails I guess. In the bottom right of your last posts there is only QUOTE, and then under that is an option for new post or quick reply. I guess theres a reason I'm considered a newcomer in training.
Again- I did remove the check for removing entries, I just forgot to add a check for the archives. I will do it correctly and run ESET again after this scan is done. But, do you want to see both files?

Bobbye, I just heard this back from Bit Defender tech support:The .bin file is generated after each Bitdefender install. This is a log file, we are using that file when we need to troubleshoot an install issue, the file is clean and is part of the Bitdefender product you installed.

Bitdefender Technical Support Engineer
-------------------------------------
http://www.bitdefender.com/help

I'm also running the second ESET scan now with all the correct boxes checked or unchecked this time. THe first scan ran for 8 hours and found no threats -so made no log. This second scan has been running for 12 hours now and only 28% done!!. My computer was acting very slow after the first eset scan. I could barely open a browser to start this second scan. What's wrong?
 
Tell Bitdefender Support that the log file is not a .bin file:
2012-02-03 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\BDLogging

But that all of the other files associated with BD, including the install are the .bin files like this:
c:\documents and settings\All Users\Application Data\1328289714.3736.bin
c:\documents and settings\All Users\Application Data\1328296496.bdinstall.bin

I cannot identify the .bin files and I can't remove them. Why does BD have files with this extension. They may be clean but they shouldn't be showing on the system like this

I also can't find this download: TLPY.CO*BITDEFENDER AN TRIALPAY.COM CA

Tell them also that I ran a 'filelook' with script through Combofix and only got the following:
-- c:\documents and settings\All Users\Application Data\1328289714.3736.bin ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 69417
Created time: 2012-02-03 17:28
Modified time: 2012-02-03 17:48
MD5: 3B7FC2992EDBBDEEE6FA91502F998CF9
SHA1: 9947415EB41A62BF30DE4EF2270F7B723A6DA91A
Click to expand...
=======================================
Whenever possible, especially with security programs, you should use their home site for the downloads. For whatever it's worth, I found this information:

http://ctwatchdog.com/shopping/herman-street-review-be-careful-dealing-with-this-company

failed to check the Better Business Bureau website at BBB.org where I would have seen that there were 43 complaints about the products they sell.
Even worse, I charged my debit card for the $43.25 product, instead of a credit card, where I could have disputed the charge.
Click to expand...

The above comment was followed by 7 Responses to Herman Street Review: Be Careful Dealing With This Company:

The comments and reviews are currect- from January 2012
This company is the worst ecommerce company I’ve ever placed an order with – their website indicates that the item is in stock but it’s not and they don’t email you to tell you they’ve back order your item but they they’ll take your money
Click to expand...
I just had the same experience with Herman Street. They sell you the software and supply you with a fake activation code. Now for the hassle of getting my money back…at least I charged the $60. Agreed…AVOID HERMANSTREET.COM
Click to expand...

Maybe this will help you understand why I am concerned. And checking one of the files, fails to give any information about what you downloaded.

You need to make sure that you deal with Bitdefender Support, not hermanstreet!
 
Bobbye-I contacted bitdefender support directly to get you that information, not herman street and thanks for that advise. It makes sense to go direct when buying software like this.

The combo fix file you found that has the missing data is the download from TLPY.CO*BITDEFENDER AN TRIALPAY.COM CA I bought on the 2-3-12. When I ran your delete virus protections instructions- I deleted all the previous versions and files i could find of bitdefender so i could start fresh. I will ask them again about those files just as you've asked.

Do you know why this latest ESET scan is running for so many hours? It's been 15 hours now and only 42% finished. Is this normal?

Thanks!
 
You've mentioned deleting files often. I have lost track! Normally, you would uninstall a program, then use Windows explorer to delete the program folder.

I am going to recommend that you uninstall the Bitdefender you got from the herman site and request a refund. Use a temporary AV in the meantime.

If you decide you want Bitdefender again, then download Bitdefender directly from their home site- after I finish trying to get the system clean-and safe!

You don't have to pay for a full security suite. You can get AV, FW and antimalware programs all free.

There is some reason the Eset scan won't run- I don't know what it is. Please end the Eset scan and see if you can get Kaspersky to run.

This should have been a simple matter of just removing one of the multiple AVs and making sure the other was properly updated. Any left over entries could have been removed using script to run through Combofix. But you had already gone ahead with what you did. Now you have a bunch of unidentifiable files on the system that shouldn't be there and can't be removed and so far, it won't run an online virus scan.
 
Should I uninstall the bitdefender first before trying the kapersky? The first eset did run and came back clean-i just forgot to check the archive box.
Which AV free do you recommend I use now? I'm confused why I need a temporary. I'd like to get something permanent.
 
The link in your previous post #32 to Kaspersky online scan isnt valid any longer. Herman wrote ,me back saying they were giving me a refund with 24 to 48 hours. I think their customer service is just fine. Maybe they got so many complaints that they got their act together??

I downloaded the Avast from this sites link in the 5 step clean but First I accidentally hit the Uniblue registry clean which was right below the download button. The instruction said to run it first for errors. It said I have over 1700 registry errors to fix. I didn't click to fix them though. Let me know if I should.

Then, I've uninstalled the Bitdefender and removed all the program files from searching C:\ files and folders. Then I emptied the recycle bin and restarted the computer.
Now I'm running a full system scan with the AVAST

It's running like a race car now! What would you like me to do next?
 
Goodness, you're having all kinds of problems! I don't like what Kaspersky is doing. They have the free scan down again while updating. But it seems you can get the trial version instead. Then, as I think you already experienced, they will bug you to buy the full version! I don't want any of that.

Here are 2 other online virus scans. Both are free so don't click on any offer to get 'full version.' The difference is that the free version just runs this scan but doesn't offer the AV being resident on the system.
Panda Free Active Scan
Trend Micro Housecall for 32bit
-------------------------------------------------
Note please: if either of the above scans has a box already checked to remove entries it finds, please uncheck it. I will use a special program to remove the entries and associated files.

You must be very careful to uncheck any pre-checked boxes on download screens. Ignore the message from Uniblue Registry Cleaner and uninstall it. (Use Add/Remove Programs to uninstall, the Windows Explorer to access Computer> Local Drive(C)> Programs> do a right click> Delete on the program folder. We don't recommend anyone use a registry cleaner as the risks outweighs any benefit. I will remove Avast from my recommended AV since they are pushing this. We stopped recommending Avira for a similar reason.

But it is ultimately up to the user to check all download screen carefully []before you download and uncheck any offers for toolbars, other programs or browser helpers
 
Is it ok that I have the AVAST AV on now as my permanent protection. It was free. I ran the quick scan with it and it came back saying the computer was clean. That took over an hour though.
I'll uninstall the Uniblue. Glad I didn't let it run.
Then run the Panda scan. Will there be a log report to attach from that?
Thanks for hanging in with me. This is really time intensive.
 
Avast is fine.

There should be a log or report from any of the online virus scan>>>>unless it doesn't find anything I know the Eset scan doesn't return a log if there are no processes.
 
I've been gone most of the day. Just got back and see that the Panda active scan has been running for 11 hours and is only 12% done! It's moving through files though. It says 2 are infected so far. 0 suspicious and 0 vulnerabilities. I'll let it keep going unless I hear right back, as I'm off to bed, but something is wrong. It shouldnt take this long. The AVAST scan didnt take this long and it found nothing.
Just checked the computer after letting scan run all night. Now it said 4 viruses detected and still at 12% scan completed. I cancelled the process and just restarted my computer.
Just ran the other suggested virus scanner you posted called-House Call quick scan option and it came back clean. Then I ran the full scan by House Call and it also came back clean. It took 6 hours for the scan.
Let me know what's next.
Thanks.
 
Waiting for new instructions

Hi Bobbye- it's been a couple of days since I've heard from you. Hope you have forgotten about me...so this is a friendly nudge. Thanks!
 
I know you've been at this for a while so let's finish up since the online scans are clean.

Are you having any problems with the system at this point? If you are not, go ahead and do the following:

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin

There may be some of the online scan in the addon section, so you can open the browser> Tools> Addons> in IE, look in both sections of addons currently on and addons previously on and remove Panda, Kaspersky, Eset, Housecall or any of the others you used if still on the system.

Okay to keep Avast. Remember to check all download screens to remove any pre-checks. Let me know after you run for a few days if any problem comes up.
 
Status
Not open for further replies.

Similar threads

N
Solved MBAM found malware, want to make sure everything is clean
Replies
18
Views
5K
Broni
Broni
T
Solved Trojans galore
2
Replies
36
Views
5K
Broni
Broni
Cryhavoc
Solved I think I got it bad
Replies
21
Views
5K
Broni
Broni

Latest posts

Back