[Active] Unable to install Java, infected files in AVG Virus Vault

greenly · Sep 29, 2010

virus prevention

Hi Bobbye,

I will soon be doing daily online financial transactions over this laptop. I currently only have AVG for virus protection. My question is what would you recommend for virus prevention in the future?

Do you have any personal recommendation for usful programs, or adivise concerning virus prevention? Also can you recommand any good articles or threads about this topic?

It seems to me most threads here are about what to do when a computer is infected, but what is best to do to prevent viruses and infections in the future?

Thank you,

greenly

Bobbye · Sep 30, 2010

It seems to me most threads here are about what to do when a computer is infected, but what is best to do to prevent viruses and infections in the future?

That's because this is the Virus and Malware Forum! But most of us include a section after removing the cleaning tools with security advice. I will leave yours.

Did you run the script I had for the locked Registry Files in Reply #19? It was right above the list of entries to remove in HJT. I need those open, so let's do the following.

First: Please run this Custom CFScript

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
RegLock:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Second: Please download OTMovit by Old Timer and save to your desktop.
Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Processes	
:Files  
c:\users\252468\New folder
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.

Click the red Moveit! button.

A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
When this is done, I'll have you remove the cleaning tools and logs and give you the security information. Security must be layered to be the most affective. I'll give you that information.

greenly · Sep 30, 2010

OTM log

Hi Bobbye,

Did you run the script I had for the locked Registry Files in Reply #19? It was right above the list of entries to remove in HJT.

Yes, I did this ComboFix script yesterday and also removed the given entries in HJT, see my reply #20

**************************************************************

Below is the log for OTM

All processes killed
========== PROCESSES ==========
========== FILES ==========
c:\users\252468\New folder folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: 252468
->Temp folder emptied: 3262499 bytes
->Temporary Internet Files folder emptied: 133113136 bytes
->Java cache emptied: 7328044 bytes
->FireFox cache emptied: 42515629 bytes
->Flash cache emptied: 11345 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 45659819 bytes

Total Files Cleaned = 221.00 mb

OTM by OldTimer - Version 3.1.16.1 log created on 09302010_211328

Files moved on Reboot...
C:\Users\252468\AppData\Local\Temp\ehmsas.txt moved successfully.
C:\Users\252468\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EK5X73PA\sh24[1].html moved successfully.
C:\Users\252468\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EK5X73PA\topic153721-2[1].html moved successfully.
C:\Users\252468\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\74LIUEVU\adsCAPYTXVQ.htm moved successfully.
C:\Users\252468\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Users\252468\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot...

Bobbye · Oct 2, 2010

Okay, I saw your reply and all the same files are still locked. I can leave them locked and not be sure what's in them. Or you can run the script again.

If the problems have been resolved, remove all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.

Double click OTCleanIt.exe.

Click the CleanUp! button.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

Go to Start > All Programs > Accessories > System Tools

Click "System Restore".

Choose "Create a Restore Point" on the first screen then click "Next".

Give the Restore Point a name> click "Create".

Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Tips for added security and safer browsing:
(Note: some fo the programs below may not work on Windows 7 or a 64 bit OS)

Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.

Have layered Security:

Antivirus Software(only one):Both of the following programs are free and known to be good:
[o]Avira Free
[o]Avast Home

Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
[o]Comodo
[o]Zone Alarm

Antispyware: I recommend all of the following:
[o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.

[o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
[o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
[o]Google Toolbar Get the free google toolbar to help stop pop up windows.

Stay current on updates:
[o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
[o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
[o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Reset Cookies to prevent Tracking Cookies:
[o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
[o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

Do regular Maintenance
Remove Temporary Internet Files regularly:
[o]ATF Cleaner by Atribune
OR
[o]TFC
Disable and Enable System Restore:
[o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Practice Safe Email Handling
[o] Don't open email from anyone you don't know.
[o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
[o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

greenly · Oct 2, 2010

ComboFix log (locked files)

Hi Bobbye,

Yes, thanks to you everything seems to be working perfectly. Just in case I ran your script from above for ComboFix again and the log is below. I won't delete or unistall anything yet untill you see this log and make sure everything is OK.

Thank you for the added security tips and program recomandations. I will try and do as you listed. For anti-virus you recommend Avira or Avast, from you expereince are there advantages to them over AVG Free Edition?

Also this computer is a laptop and I frequently use it outside the house and connect to public wireless networks. If I do online financial transactions over these public networks what would be a few crucial steps I'd have to take to ensure best security? I will follow all your recomandations from above, but is there something you would include for public Wi-Fi or is it enough to do as you advised above?

Thank you,

greenly

ComboFix 10-10-01.07 - 252468 10/02/2010 20:56:28.4.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3003.1745 [GMT -5:00]
Running from: c:\users\252468\Desktop\virus removal\later\ComboFix.exe
Command switches used :: c:\users\252468\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
.

2010-10-03 02:00 . 2010-10-03 02:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-10-03 02:00 . 2010-10-03 02:00 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-10-03 02:00 . 2010-10-03 02:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-01 02:13 . 2010-10-01 02:13 -------- d-----w- C:\_OTM
2010-09-29 13:56 . 2010-03-04 04:04 146304 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2010-09-29 13:56 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-09-28 18:08 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-27 17:05 . 2010-09-27 17:05 388096 ----a-r- c:\users\252468\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-27 17:05 . 2010-09-27 17:05 -------- d-----w- c:\program files\Trend Micro
2010-09-27 00:30 . 2010-09-27 00:30 61440 ----a-w- c:\programdata\WebEx\WebEx\500\libfaac.dll
2010-09-27 00:30 . 2010-09-27 00:30 237568 ----a-w- c:\programdata\WebEx\WebEx\500\mpeg4convert.dll
2010-09-26 23:42 . 2010-09-26 23:42 -------- d-----w- c:\windows\Sun
2010-09-26 23:42 . 2010-09-26 23:42 -------- d-----w- c:\program files\Common Files\Java
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\users\252468\AppData\Roaming\Malwarebytes
2010-09-24 03:09 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\programdata\Malwarebytes
2010-09-24 03:09 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-24 01:37 . 2010-09-24 01:37 -------- d-----w- c:\program files\ESET
2010-09-23 16:59 . 2010-09-23 16:59 1377632 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
2010-09-23 16:59 . 2010-09-23 16:59 942432 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-09-23 16:59 . 2010-09-23 16:59 598368 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-09-23 16:59 . 2010-09-23 16:59 4371296 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-09-23 16:59 . 2010-09-23 16:59 300896 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-09-23 16:58 . 2010-09-23 16:58 1690952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-09-15 16:29 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-01 05:02 . 2010-08-18 00:35 -------- d-----w- c:\program files\Dl_cats
2010-09-29 21:12 . 2009-04-22 15:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-27 00:30 . 2010-07-16 22:17 2084864 ----a-w- c:\programdata\WebEx\WebEx\500\atpdmod.dll
2010-09-27 00:30 . 2010-07-16 22:17 188416 ----a-w- c:\programdata\WebEx\WebEx\500\nbrres.dll
2010-09-27 00:30 . 2010-07-16 22:17 118856 ----a-w- c:\programdata\WebEx\WebEx\500\atas32.dll
2010-09-27 00:30 . 2010-07-16 22:17 331776 ----a-w- c:\programdata\WebEx\WebEx\500\nbrpd.dll
2010-09-27 00:30 . 2010-07-16 22:17 396680 ----a-w- c:\programdata\WebEx\WebEx\500\atasctrl.dll
2010-09-27 00:30 . 2010-07-16 22:17 623928 ----a-w- c:\programdata\WebEx\WebEx\500\nbrpfw.dll
2010-09-26 23:42 . 2009-04-22 15:14 -------- d-----w- c:\program files\Java
2010-09-20 15:07 . 2010-07-19 21:09 -------- d-----w- c:\users\252468\AppData\Roaming\IrfanView
2010-09-15 21:52 . 2009-04-22 14:57 -------- d-----w- c:\programdata\Microsoft Help
2010-09-02 00:01 . 2010-09-02 00:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\users\252468\AppData\Roaming\DVDVideoSoftIEHelpers
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\program files\DVDVideoSoft
2010-08-29 20:44 . 2009-06-01 18:45 -------- d-----w- c:\program files\Atheros
2010-08-18 19:16 . 2010-08-18 19:16 -------- d-----w- c:\program files\BitZipper
2010-08-18 19:16 . 2010-08-18 19:16 -------- d-----w- c:\users\252468\AppData\Roaming\BitZipper
2010-08-18 00:35 . 2010-08-18 00:35 -------- d-----w- c:\program files\Dell AIO Printer 946
2010-08-11 23:06 . 2009-04-22 14:45 -------- d-----w- c:\program files\Microsoft Works
2010-08-11 22:02 . 2010-08-11 22:02 -------- d-----w- c:\users\Guest\AppData\Roaming\Apple Computer
2010-08-04 22:53 . 2010-08-04 22:53 -------- d-----w- c:\program files\Veoh Networks
2010-07-29 06:30 . 2010-08-11 16:22 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 16:22 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-17 10:00 . 2010-07-11 13:39 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 22:18 . 2010-07-16 22:18 98304 ----a-w- c:\programdata\WebEx\WebEx\500\webexrcd\atplayim.dll
2010-07-16 22:18 . 2010-07-16 22:18 5702 ----a-w- c:\programdata\WebEx\WebEx\500\atkbctl.dll
2010-07-16 22:18 . 2010-07-16 22:18 24576 ----a-w- c:\programdata\WebEx\WebEx\500\atmemmgr.dll
2010-07-15 20:25 . 2009-10-12 00:27 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 20:25 . 2010-07-15 20:25 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 20:24 . 2009-10-12 00:27 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 51712]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"DLCICATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCItime.dll" [2006-10-20 73728]
"dlcimon.exe"="c:\program files\Dell AIO Printer 946\dlcimon.exe" [2007-01-12 435696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\252468\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ScreenHunter 5.1 Free.lnk - c:\program files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe [2009-12-26 5689344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

R3 PAC207;Webcam 1200;c:\windows\system32\DRIVERS\PFC027.SYS [2007-06-29 611584]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-02 1343400]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-15 216400]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-15 243024]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-20 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe [2006-12-08 537480]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\HPCeeScheduleFor252468.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 18:34]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\users\252468\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
FF - ProfilePath - c:\users\252468\AppData\Roaming\Mozilla\Firefox\Profiles\kl5qu4jw.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=616163&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\252468\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-10-02 21:02:34
ComboFix-quarantined-files.txt 2010-10-03 02:02
ComboFix2.txt 2010-09-29 21:35
ComboFix3.txt 2010-09-27 16:41
ComboFix4.txt 2010-09-24 23:18

Pre-Run: 229,527,900,160 bytes free
Post-Run: 229,489,012,736 bytes free

- - End Of File - - 693A7E42445032BFE5D39D60199E270D

Bobbye · Oct 3, 2010

If I do online financial transactions over these public networks what would be a few crucial steps I'd have to take to ensure best security?

See these Microsoft recommendations: http://www.microsoft.com/protect/mobile/public/publicwireless.aspx

My advice- try to keep the finances at home! I'm not adding it because I don't encourage doing this if at all possible. It's difficult enough to stay safe on your secure network at home!

I have ask about 3 of the registry keys that won't unlock> hold on to Combofix til I get back to you on that. Go ahead with the others.

Bobbye · Oct 4, 2010

Registry keys are okay. Go ahead and do this:Uninstall ComboFix and all Backups of the files it deleted

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

In the security tips and restore points for you:
#2 in tips: Have layered Security:IESpyad/ZonedOut won't work for Win 7 yet. Okay for IE8

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

Creating a Restore Point in Windows 7:

Click on Start> right click on Computer> Properties

Select System Protection

Click on the Create button (near bottom)

Type a name for the Restore Point

Click on Create again to save the restore point.

Deleting all but the most recent System Protection point in Windows

Click Start, type Cleanmgr.exe and press ENTER

Select the drive-letter from the list and click OK

Click Clean up system files
This restarts Disk Cleanup to run in elevated mode.

Select the drive-letter from the list and click OK

Click the More Options tab

Click the Clean up… button under System Restore and Shadow Copies.

Click OK.

Empty the Recycle Bin

Let me know if you have any more questions.

greenly · Oct 7, 2010

Hi Bobbye,

Thank you again for helping me. Everything is working fine and I am in the process of updating to your security recomandations above. I have one question, from your expereince does Avira or Avast offer any advantages over AVG Free? If you had the choice of those three for anti-virus software, what would you pick?

Also, I had all the logs and programs we went through in a folder on my desktop. I deleted that folder a few days ago. Combofix was in that folder, and today when I went to Uninstall Combofix, I got an error message saying that it can't find Combofix (b/c its deleted). Is it a problem that I did not unistall it properly?

Thank you,

greenly

Bobbye · Oct 7, 2010

You're very welcome! You just jumped the gun on removing the tools we used. Using the uninstall for Combofic removes the logs that were created by it also, as well as the programs. If you find any 'left overs' go ahead and remove them.

I am not impressed with AVG. I had it myself until it went to v8, combining the antispyware with it. The logs I see from AVG are heavy on Tracking Cookies but not much else. If you want to stay with a free AV, either Avast or Avira are okay. I an using the paid version of Eset Nod32 and have been very pleased with it.

Let me know if you have any more questions.

TechSpot

[Active] Unable to install Java, infected files in AVG Virus Vault

greenly Newcomer, in training

Bobbye Helper on the Fringe

greenly Newcomer, in training

Bobbye Helper on the Fringe

greenly Newcomer, in training

Bobbye Helper on the Fringe

Bobbye Helper on the Fringe

greenly Newcomer, in training

Bobbye Helper on the Fringe