Inactive Vista Anti Spyware + Redirect Help.. Followed prelim 7 steps

Andrewnyc0129 · Jun 7, 2011

So I had a problem with redirection a while back which I thought had been taken care of after running combofix. Recently I discovered a new virus called Vista Anti Spyware that wont allow me to use the internet because a page will popup saying I need to run anti spyware or that my computer is at risk.

I looked in the forum and followed the main 7 steps and will post the logs. Any help will be greatly appreciated. This problem is very annoying and I just want my PC to go back to normal. Thanks

Malware Bytes Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

6/7/2011 12:59:00 AM
mbam-log-2011-06-07 (00-59-00).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 300872
Time elapsed: 2 hour(s), 28 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER Log

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-07 01:20:14
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
Running: wm3ru5uu.exe; Driver: C:\Users\Andrew\AppData\Local\Temp\uwdiqpob.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x92A189C0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x92A189FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x92A18A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x92A18930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x92A18944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x92A189D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x92A18A69]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x92A18A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x92A189AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x92A18998]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x92A18A14]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x92A189EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

DDS log

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_24
Run by Andrew at 1:06:59 on 2011-06-07
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1037 [GMT -4:00]
.
AV: McAfee VirusScan *Enabled/Outdated* {2A28CCAF-2E53-0F80-A82C-9572D1C24D8C}
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: McAfee VirusScan *Enabled/Outdated* {91492D4B-0869-000E-929C-AE00AA450731}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spyware Doctor *Disabled/Outdated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
FW: McAfee Personal Firewall *Disabled* {12134D8A-643C-0ED8-8373-3C472F110AF7}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools Security\pctsSvc.exe
C:\Program Files\Dell Video Chat\DellVideoChat.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\PC Tools Security\pctsGui.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Users\you\Downloads\wm3ru5uu.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=16794S&l=dis
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Google Update] "c:\users\andrew\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [SightSpeed] "c:\program files\dell video chat\DellVideoChat.exe" -bootmode
uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
mRun: [PCTools FGuard] c:\program files\pc tools security\bdt\FGuard.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\users\andrew\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.1.121\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 213.109.68.116 213.109.73.172 1.1.1.1
TCP: Interfaces\{895EB826-46B6-4FC9-A14F-2A48FDA3DDFA} : DhcpNameServer = 213.109.68.116 213.109.73.172 1.1.1.1
TCP: Interfaces\{A5754BCB-067F-4E67-A192-DC48C6E00DE6} : DhcpNameServer = 213.109.68.116 213.109.73.172 1.1.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\y3wh73f2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\y3wh73f2.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\andrew\appdata\local\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\users\andrew\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\andrew\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.homepage.dontask, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-6-5 263888]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-6-5 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-6-5 656320]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-13 201320]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2011-6-5 233976]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_f6ef8056\AEstSrv.exe [2010-11-17 81920]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-6 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-6 269480]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-5-5 1168632]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-6 61960]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-5-2 161048]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-13 358224]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-10-13 144704]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\ccSvcHst.exe [2010-1-6 126392]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-6-5 371472]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-6-5 1117144]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-10-13 475136]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2008-10-13 54784]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-10-13 203264]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-13 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-13 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-13 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-13 40488]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2011-6-5 337872]
S2 gupdate1c9bcabcf4fc1f0;Google Update Service (gupdate1c9bcabcf4fc1f0);c:\program files\google\update\GoogleUpdate.exe [2009-4-13 133104]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\SymcPCCULaunchSvc.exe [2010-1-6 120248]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-6-6 1153368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-10-13 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-4-13 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-14 38224]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.1.121\McCHSvc.exe [2010-9-3 227232]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-13 33832]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2008-10-13 144672]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2008-10-13 277504]
.
=============== Created Last 30 ================
.
2011-06-07 03:46:52 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-07 03:46:46 -------- d-----w- c:\programdata\Avira
2011-06-07 03:46:46 -------- d-----w- c:\program files\Avira
2011-06-06 15:26:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-06-06 15:26:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-05 19:47:53 767952 ----a-w- c:\windows\BDTSupport.dll
2011-06-05 19:47:52 2078672 ----a-w- c:\windows\PCTBDCore.dll
2011-06-05 19:47:52 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-06-05 19:47:52 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-06-05 19:11:14 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-06-05 19:11:14 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-06-05 19:11:11 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-06-05 19:11:11 105280 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2011-06-05 19:11:01 263888 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-06-05 19:11:01 160576 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-06-05 19:10:55 233976 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2011-06-05 19:10:43 70664 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-06-05 19:10:18 -------- d-----w- c:\program files\PC Tools Security
2011-06-05 19:10:18 -------- d-----w- c:\program files\common files\PC Tools
2011-06-05 19:04:09 -------- d-----w- c:\programdata\PC Tools
2011-06-05 19:01:00 -------- d-s---w- C:\ComboFix
2011-06-05 18:46:14 335872 --sha-w- c:\users\andrew\appdata\local\sgi.exe
2011-06-05 18:45:57 335872 --sha-w- c:\users\andrew\appdata\local\kjb.exe
2011-06-05 17:10:07 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-06-05 17:10:00 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-06-05 17:10:00 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-06-05 17:09:59 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-06-05 17:09:59 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-06-05 17:09:59 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-06-05 17:09:59 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-06-05 17:09:58 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-06-04 04:49:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-04 03:36:56 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c52f706a-9dfb-49b2-a742-47ed52baf65e}\mpengine.dll
.
==================== Find3M ====================
.
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-26 20:58:02 144556533 ----a-w- c:\windows\DUMP3d3e.tmp
.
============= FINISH: 1:08:42.41 ===============

Attach log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 10/13/2008 1:51:07 PM
System Uptime: 6/6/2011 10:36:00 AM (15 hours ago)
.
Motherboard: Dell Inc. | |
Processor: Intel(R) Core(TM)2 Duo CPU T5850 @ 2.16GHz | Microprocessor | 1000/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 288 GiB total, 196.681 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.629 GiB free.
E: is Removable
F: is CDROM ()
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP513: 6/6/2011 5:08:15 PM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Photoshop CS3
Adobe Reader 9.2
Adobe Shockwave Player
Advanced Audio FX Engine
AIM 7
AIMTunes
Apple Application Support
Apple Mobile Device Support
Avira AntiVir Personal - Free Antivirus
AviSynth 2.5
BlackBerry Desktop Software 6.0
Bonjour
Browser Defender 3.0
Buddy Icon Maker 1.0.0.1
CCleaner
Compatibility Pack for the 2007 Office system
Dell Driver Download Manager
Dell Video Chat (remove only)
Dell Webcam Central
Dell Wireless WLAN Card Utility
Download Updater (AOL LLC)
EVEREST Ultimate Edition v5.50
FoxyTunes for Firefox
FrostWire 4.21.3
Google Chrome
Google Desktop
Google Talk Plugin
Google Update Helper
GoToAssist 8.0.0.514
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IDT Audio
iTunes
Java Auto Updater
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Standard Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mozilla Firefox 4.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB973688)
Norton PC Checkup
QuickTime
Skype Toolbars
Skype™ 5.1
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Spyware Doctor 8.0
Videora iPod Converter 4.02
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VoiceOver Kit
YouTube Downloader App 1.01
.
==== Event Viewer Messages From Past Week ========
.
6/6/2011 5:08:13 PM, Error: volsnap [20] - The shadow copies of volume C: were aborted because of a failed free space computation.
6/6/2011 11:08:33 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McAfee Services service, but this action failed with the following error: An instance of the service is already running.
6/6/2011 11:08:00 PM, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error 2150760449 (0x80320001).
6/6/2011 11:07:55 PM, Error: Service Control Manager [7034] - The Browser Defender Update Service service terminated unexpectedly. It has done this 1 time(s).
6/6/2011 11:07:37 PM, Error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
6/6/2011 11:07:33 PM, Error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
6/6/2011 11:07:27 PM, Error: Service Control Manager [7034] - The McAfee Anti-Spam Service service terminated unexpectedly. It has done this 1 time(s).
6/6/2011 11:07:22 PM, Error: Service Control Manager [7034] - The Norton PC Checkup Application Launcher service terminated unexpectedly. It has done this 1 time(s).
6/6/2011 11:07:18 PM, Error: Service Control Manager [7031] - The Common Client Job Manager Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
6/6/2011 11:07:14 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
6/6/2011 11:07:11 PM, Error: Service Control Manager [7034] - The SupportSoft Sprocket Service (dellsupportcenter) service terminated unexpectedly. It has done this 1 time(s).
6/6/2011 11:07:04 PM, Error: Service Control Manager [7031] - The McAfee SystemGuards service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
6/6/2011 10:35:12 AM, Error: EventLog [6008] - The previous system shutdown at 1:54:59 AM on 6/6/2011 was unexpected.
6/6/2011 10:21:08 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.105 for the Network Card with network address 00225F1641A2 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
6/6/2011 1:18:46 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
6/6/2011 1:16:15 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC mfehidk MPFP NetBIOS netbt nsiproxy PCTSD PSched RasAcd rdbss SASDIFSV SASKUTIL Smb spldr Tcpip tdx Wanarpv6 ws2ifsl
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 1:16:15 AM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 1:15:49 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
6/6/2011 1:15:13 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
6/6/2011 1:15:13 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
6/6/2011 1:15:13 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
6/6/2011 1:15:12 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/6/2011 1:15:05 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
6/5/2011 7:33:00 PM, Error: EventLog [6008] - The previous system shutdown at 1:25:46 PM on 6/5/2011 was unexpected.
6/5/2011 3:32:32 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.105 for the Network Card with network address 00225F1641A2 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
6/2/2011 11:30:12 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the DHCP Client service, but this action failed with the following error: An instance of the service is already running.
6/2/2011 11:29:12 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Audio service, but this action failed with the following error: An instance of the service is already running.
6/2/2011 11:16:16 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
6/2/2011 11:16:16 PM, Error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The system cannot find the path specified.
6/2/2011 1:43:21 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
6/1/2011 9:04:49 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WerSvc service.
.
==== End Of File ===========================

Bobbye · Jun 7, 2011

You have run an old version of Malwarebytes- that is not the version in our steps. Please remove the Mbam you have now and start it over. It's not going to find this malware because it isn't in the database on the old version.
I am going to make a change since you have to do over: you need to run a Full Scan. Follow instructions below:

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from from HERE
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
[o] Update Malwarebytes' Anti-Malware
[o] and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Full Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please attach this log with your reply
[o] If you accidentally close it, the log file is saved here and will be named like this:
[o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

=============================================
When you have completed the scan, do the following:
Download Unhide.exe and save to the desktop.

Double-click on Unhide.exe icon to run the program.
This program will remove the +H, or hidden, attribute from all the files on your hard drives.

(There is no log to leave for this)
===========================================
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

Double click combofix.exe & follow the prompts.
ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
.Click on Yes, to continue scanning for malware
.If Combofix asks you to update the program, allow
.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
.Close any open browsers.
.Double click combofix.exe

& follow the prompts to run.
When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
====================================
***Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.***
Leave the logs for Mbam and Combofix in your next reply.

Note: You may be seeing some improvement. That does not mean all the malware entries are gone. Please continue with the cleaning.

Andrewnyc0129 · Jun 7, 2011

Downloaded New Malwarebytes Anti- Malware and ran the scan

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6800

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

6/7/2011 6:54:22 PM
mbam-log-2011-06-07 (18-54-22).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 369212
Time elapsed: 3 hour(s), 44 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\10DPP6O2VE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\BSK91O3T6D (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Andrew\AppData\Local\sgi.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Andrew\AppData\Local\sgi.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Andrew\AppData\Local\sgi.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

combofix log

ComboFix 11-06-06.07 - Andrew 06/07/2011 19:20:11.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1343 [GMT -4:00]
Running from: c:\users\Andrew\Downloads\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: McAfee VirusScan *Disabled/Outdated* {2A28CCAF-2E53-0F80-A82C-9572D1C24D8C}
FW: McAfee Personal Firewall *Disabled* {12134D8A-643C-0ED8-8373-3C472F110AF7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: McAfee VirusScan *Disabled/Updated* {91492D4B-0869-000E-929C-AE00AA450731}
SP: Spyware Doctor *Disabled/Outdated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2011-05-07 to 2011-06-07 )))))))))))))))))))))))))))))))
.
.
2011-06-07 23:43 . 2011-06-07 23:43 -------- d-----w- c:\users\you\AppData\Local\temp
2011-06-07 23:43 . 2011-06-07 23:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-06-07 23:43 . 2011-06-07 23:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-07 23:12 . 2011-06-07 23:12 -------- d-----w- c:\users\Andrew\AppData\Roaming\Avira
2011-06-07 18:42 . 2011-06-07 18:42 711728 ----a-w- c:\windows\isRS-000.tmp
2011-06-07 18:42 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-07 18:42 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-07 03:46 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-07 03:46 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-07 03:46 . 2011-06-07 03:46 -------- d-----w- c:\programdata\Avira
2011-06-07 03:46 . 2011-06-07 03:46 -------- d-----w- c:\program files\Avira
2011-06-07 02:10 . 2011-06-07 02:10 -------- d-----w- c:\users\you\AppData\Roaming\Malwarebytes
2011-06-06 15:26 . 2011-06-07 02:58 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-06-06 15:26 . 2011-06-06 15:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-05 19:47 . 2011-05-20 15:44 767952 ----a-w- c:\windows\BDTSupport.dll
2011-06-05 19:47 . 2011-05-20 15:44 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-06-05 19:47 . 2011-05-20 15:44 2078672 ----a-w- c:\windows\PCTBDCore.dll
2011-06-05 19:47 . 2011-05-20 15:44 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-06-05 19:11 . 2010-07-16 18:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-06-05 19:11 . 2010-07-16 18:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-06-05 19:11 . 2011-05-12 12:59 105280 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2011-06-05 19:11 . 2011-05-06 17:26 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-06-05 19:11 . 2011-05-11 17:35 160576 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-06-05 19:11 . 2011-05-11 13:55 263888 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-06-05 19:10 . 2011-03-10 13:08 233976 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2011-06-05 19:10 . 2011-05-06 17:28 70664 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-06-05 19:10 . 2011-06-07 23:07 -------- d-----w- c:\program files\PC Tools Security
2011-06-05 19:10 . 2011-06-05 19:48 -------- d-----w- c:\program files\Common Files\PC Tools
2011-06-05 19:04 . 2011-06-05 19:10 -------- d-----w- c:\programdata\PC Tools
2011-06-05 17:10 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-05 17:10 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-05 17:10 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-06-05 17:09 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-05 17:09 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-05 17:09 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-06-05 17:09 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-06-05 17:09 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-06-04 04:49 . 2011-06-04 19:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-04 03:36 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C52F706A-9DFB-49B2-A742-47ED52BAF65E}\mpengine.dll
2011-05-20 04:56 . 2011-05-20 04:56 -------- d-----w- c:\users\you\AppData\Local\Apple Computer
2011-05-20 04:44 . 2011-05-30 12:04 -------- d-----w- c:\users\you\AppData\Roaming\skypePM
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-26 20:58 . 2008-10-14 01:26 144556533 ----a-w- c:\windows\DUMP3d3e.tmp
2011-04-14 16:26 . 2011-06-05 17:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-06-25 06:47 . 2009-10-30 17:18 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]
"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-06-13 4758904]
"ooVoo.exe"="c:\program files\ooVoo\oovoo.exe" [2010-02-10 18784440]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-06-30 196608]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-08-05 3563520]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2008-06-09 814144]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-25 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2008-07-24 993520]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483428]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-05-20 247760]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
.
c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
.
c:\users\you\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-20 113664]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-5-2 1211472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-10-13 23:15 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 SASDIFSV;SASDIFSV;c:\users\Andrew\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Andrew\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 gupdate1c9bcabcf4fc1f0;Google Update Service (gupdate1c9bcabcf4fc1f0);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 133104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [x]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-25 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 133104]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-29 39984]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-07-28 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2008-07-28 277504]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2011-02-18 371472]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-05-11 263888]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320]
S1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\Drivers\PCTSD.sys [2011-03-10 233976]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-17 81920]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-28 136360]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-05-05 1168632]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [2011-05-20 337872]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-05-02 161048]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [2010-12-14 120248]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [2009-08-24 126392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-06-30 475136]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2008-03-14 54784]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-03-11 203264]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-05-29 22712]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - SSMDRV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 02:49]
.
2011-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 02:49]
.
2011-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4260835705-1188298559-1849461784-1000Core.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-18 09:14]
.
2011-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4260835705-1188298559-1849461784-1000UA.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-18 09:14]
.
2011-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-13 18:32]
.
2011-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-13 18:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=16794S&l=dis
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\y3wh73f2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.homepage.dontask, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-07 19:44
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4260835705-1188298559-1849461784-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.***Z%\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-4260835705-1188298559-1849461784-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*/*e"]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-4260835705-1188298559-1849461784-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*/*e"\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-4260835705-1188298559-1849461784-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*/*e"]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(7484)
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
c:\program files\DigitalPersona\Bin\DpoSet.dll
.
Completion time: 2011-06-07 19:50:45
ComboFix-quarantined-files.txt 2011-06-07 23:50
ComboFix2.txt 2010-11-15 03:31
.
Pre-Run: 209,628,352,512 bytes free
Post-Run: 209,233,035,264 bytes free
.
- - End Of File - - FF1DB95F418CF2CB16726038E0928A99

thanks so much for your help

Bobbye · Jun 11, 2011

Sorry for delay- I'm having intermittent loss of internet connection and the ISP can't figure out why!.

DId you notice the different in the Mbam log? That's why we always need the most current database.

You have 2 AV programs. Please remove one of them:
AV: McAfee VirusScan: McAfee Removal \
AV: AntiVir Desktop : To uninstall Avira:

Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
Wait for the list of installed programs to load, then click the name of the Avira program.
Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
Press Yes, to confirm the removal and then OK.
. Click Next until Finish. The software is removed.

Please reboort the computer when finished.
=================================
Please go ahead and run the following:

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESETOnlineScan
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
[o] Double click on the

on your desktop.
Check 'Yes I accept terms of use.'
Click Start button
Accept any security warnings from your browser.
Uncheck 'Remove found threats'
Check 'Scan archives/
Leave remaining settings as is.
Press the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
When the scan completes, press List of found threats
Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
Push the Back button
Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
======================================
Your homepage is set to ask.com. I will be changing that and removing any ask.com entries. In the meantime, look on Add/Remove Programs and uninstall any entries for Ask .

Andrewnyc0129 · Jun 12, 2011

Not a problem. Hope your issue gets fixed asap, meanwhile thanks for replying to my post. I ran the online scanner and these were the results:

C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\7abe31c0-3b13e81e multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\5b1214a-3ea45f91 Java/TrojanDownloader.Agent.NCM trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\69f70b4a-7bf9c140 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\2933710c-45a3a72e probably a variant of Win32/Agent.RPSVWU trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\4604e10c-16e052d2 Java/TrojanDownloader.OpenStream.NBL trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\5bbe980f-38628324 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\57b2b890-7947a6c1 probably a variant of Java/Exploit.CVE-2009-2843.B trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\556f5f51-2d531783 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\6d69fa52-1e9f2e9f multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\13e6bc2-5bb7289b multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\72e3a02-52f1e547 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\1b095158-63e42c30 a variant of Java/Exploit.CVE-2009-2843.B trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\7061701b-3d4f406a multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\7061701b-7356951e multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\2168fa83-1ea7ee72 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\79b0fdc3-30bf0243 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\281e7c9f-7e5cf7ce multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\19322960-562b459f a variant of Java/Agent.BR trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\7924e120-2bc6fe95 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\d9ad60-65ef2145 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7ffc20e1-7f9cddf6 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\3289f822-4fb1b3e2 a variant of Java/Agent.BR trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\c669a2-3501ba61 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\3c935363-51a6daef multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\5be8fda4-2f5ca448 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\3b4d8b25-1f3b7a3a multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\73df1e65-4bec988c multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\2e1d60a6-72161d09 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\3599fd26-2dd63af7 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\5f23bb26-59dd17f5 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\8f85c44-6dbd8977 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\28988a29-38024527 Java/TrojanDownloader.OpenStream.NBL trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\f4e4a9-7e18994e multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\42cc9baf-6b0fbe49 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\6eeafe70-3b7243fc multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\3ae03185-7cb9fa14 probably a variant of Java/Agent.BR trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\10bc3e73-6189d4a3 probably a variant of Win32/Agent.RPSVWU trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\4aefc2f6-4bc08473 a variant of Java/Agent.BR trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\6c1994f6-5142aff6 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\2e1a20f7-60f32430 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\5a71be37-24f31fb3 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\77372737-48848a32 probably a variant of Win32/Agent.RPSVWU trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\286de3b8-49d91fe8 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\58e40278-3dd5a548 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\23105b3a-5f05a72b multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\766920c6-789beabb multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\63847cfc-1b503e3f multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\6cb64d7d-72e1ca00 probably a variant of Java/Agent.BR trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\6f62337d-72ab1881 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\5e91f73f-476230d2 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\5450ce47-1be6a6f2 probably a variant of Java/Agent.BR trojan
C:\Users\Andrew\Documents\LimeWire\Saved\listen to your heart acoustic.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Windows\restore.exe Java/IRCBot.A trojan

I also went ahead and checked for any programs to uninstall named Ask but didnt find any in the results for my search.

Bobbye · Jun 14, 2011

Okay- lots of entries in the Java cache (we will need to check you settings) - so let's empty it:

To clear the Java Plug-in cache:

[1]. Click Start > Control Panel.
[2]. Double-click the Java icon in the control panel.

The Java Control Panel appears.

[3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.

[4] Click Delete Files.The Delete Temporary Files dialog box appears.

[5]. Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.
[6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com
================================================
Please download OTMovit by Old Timer and save to your desktop.

Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Files 
C:\Users\Andrew\Documents\LimeWire\Saved\listen to your heart acoustic.mp3 
C:\Windows\restore.exe 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Best you stop getting download through LimeWire. You got a variant of WMA/TrojanDownloader.GetCodec.gen trojan when you saved "listen to your heart acoustic.mp3". This Trojan modifies media files- converts all media files to the WMA format and adds a field to the header that includes a URL pointing the user to a new codec, claiming that the codec has to be downloaded so that the media files can be read.
So you might want to check out your media files status.
========================================
We need to check for a Virut infection or rule it out:

Make sure to use Internet Explorer for this
Please go to VirSCAN.org free on-line scan service
Copy and paste each of the following file paths into the "Suspicious files to scan" box on the top of the page, one at a time:

c:\windows\system32\userinit.exe

c:\windows\explorer.exe

c:\window\system32\svchost.exe

Click to expand...
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

================================================
I'm going to wait on the VirSCAN before going any further.

Andrewnyc0129 · Jun 14, 2011

I deleted the files from java and ran the OT moveit program and these were the results:

All processes killed
========== FILES ==========
File/Folder C:\Users\Andrew\Documents\LimeWire\Saved\listen to your heart acoustic.mp3 not found.
C:\Windows\restore.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Andrew
->Temp folder emptied: 48950908 bytes
->Temporary Internet Files folder emptied: 54524781 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 51696680 bytes
->Google Chrome cache emptied: 359203738 bytes
->Flash cache emptied: 91400 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: you
->Temp folder emptied: 213249 bytes
->Temporary Internet Files folder emptied: 17269306 bytes
->Java cache emptied: 13689508 bytes
->FireFox cache emptied: 13722494 bytes
->Google Chrome cache emptied: 85070176 bytes
->Flash cache emptied: 7175 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 145646371 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 22225148 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 5022931 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 25494473 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 804.00 mb

OTM by OldTimer - Version 3.1.18.0 log created on 06142011_160924

Files moved on Reboot...

Registry entries deleted on Reboot...

So with the virscan I did all three of them but it did not allow me to copy the results to the clipboard. The first two read no malware and the entry for svchost said the upload file could not be found. I tried several times .

Bobbye · Jun 15, 2011

[5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
[6]. Paste the contents of the Clipboard in your next reply.[/list]

What did not work?

Bobbye · Jun 15, 2011

I'd like to bring this to your attention: OTM Total Files Cleaned = 804.00 mb. This is a very large amount of files. It can indicate that you are not doing any maintenance on the system such as disc cleanup to include deleting temporary internet files and Cookies, running the Error Check and defrag.

Before I give you any script to run through Combofix: I found all of the following security and 'cleanup' type entries in your logs:

There is a very good chance that the excess of some security programs is actually leaving the system more vulnerably, not less. So far I see:
(AV=antivirus. FW=firewall. SP=spyware/antimalware)
AV: AntiVir Desktop
AV: McAfee VirusScan *Disabled/Outdated<<<<<<
FW: McAfee Personal Firewall
SP: AntiVir Desktop
SP: McAfee VirusScan
SP: Spyware Doctor *Disabled/Outdated (from PC Tools)
SP: Windows Defender
EVEREST Ultimate Edition v5.50>> This has been discontinued.
Norton PC Checkup
PCTools Security:>> AV, FW, SP
Lavasoft\Ad-Aware> SP
Spybot - Search & Destroy> SP
Malwarebytes' Anti-Malware> SP

I have seen users with so much security trying to keep others out, that they and up locking themselves in and can't access the internet.

You should have: One AV, One FW, Two or more spyware/antimalware. But it's best to combine type of antimalware programs, rather that just a log of them!

Bobbye · Jun 20, 2011

Note: I will be closing this thread if you do not reply by tomorrow.

Andrewnyc0129 · Jun 20, 2011

sorry for the delay.. so what did not work when i tried virscan was literally the link that said copy to clipboard it did nothing. i tried several times and pasted but it just did not copy the results of the log..

all the antivirus and anti malware programs i have are from when I had a problem with a redirect virus and unsuccessfully tried removing it from my computer. Do you have any suggestions for which programs to keep and which to delete?

also i just ran a disc cleanup and got rid of a lot of extra space

thanks

Bobbye · Jun 23, 2011

also i just ran a disc cleanup and got rid of a lot of extra space

Many files were removed in OTM as I pointed out. You should set up a regular maintenance schedule.
=========================================

any suggestions for which programs to keep and which to delete?

(AV=antivirus. FW=firewall. SP=spyware/antimalware)
AV: AntiVir Desktop <<< Keep
AV: McAfee VirusScan *Disabled/Outdated <<<<<<It appears that you have a McAfee Security Suite and that the subscription has expired. If that is the case, please Uninstall: McAfee Removal
FW: McAfee Personal Firewall: will be removed
SP: AntiVir Desktop> Keep
SP: McAfee VirusScan> Will be removed
SP: Spyware Doctor *Disabled/Outdated (from PC Tools)<<<< Expired> Remove
SP: Windows Defender>> Optional
EVEREST Ultimate Edition v5.50>> This has been discontinued.Uninstall
Norton PC Checkup>> Recommend remove, but it's optional
PCTools Security:>> AV, FW, SP<<< Expired. Uninstall.
Lavasoft\Ad-Aware> SP<<<Can keep, but has gone down in effictiveness
Spybot - Search & Destroy> SP<<< Keep
Malwarebytes' Anti-Malware> SP<<<< If paid, keep. If free, uninstall. Can run free scan anytime.
------------------------------------
My recommendations for security programs:
1. Keep Avira as the AV
2. Add one of these free firewalls:
[o]Comodo
[o]Zone Alarm
3. Use a Site Advisor: Recommend :
The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.
4. Spyware/Antimalware:
[o] Keep Spybot Search & Destroy
[o] Add Spywareblaster: SpywareBlaster protects against bad ActiveX.
[o] Windows Defender optional
=====================================
Regadless of which programs you keep please note: If you collect security programs on your own to try and get rid of malware, you should not just abandon them on the system. You should have the AV, FW and SP that are always on the system and others shou;d be uninstalled.

Andrewnyc0129 · Jun 25, 2011

Thanks so much for your help. I really appreciate it. Is there anything else you would recommend or do you think my pc should be back to normal. Honestly my internet is running pretty slow especially streaming videos and flash.. if you have any idea how to help with that, would be awesome

thanks again

Bobbye · Jun 25, 2011

I am concerned about the failed online scan. It's been 2 weeks since you started this. Please repeat the following:

Update and rescan with Malwarebytes.

Go to the Eset Online Virus scanner and do a new scan.

Please leave both logs in next reply.

Bobbye · Jul 4, 2011

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.

Inactive Vista Anti Spyware + Redirect Help.. Followed prelim 7 steps

Andrewnyc0129

Posts: 7 +0

Bobbye

Posts: 16,313 +36

Andrewnyc0129

Posts: 7 +0

Bobbye

Posts: 16,313 +36

Andrewnyc0129

Posts: 7 +0

Bobbye

Posts: 16,313 +36

Andrewnyc0129

Posts: 7 +0

Bobbye

Posts: 16,313 +36

Bobbye

Posts: 16,313 +36

Bobbye

Posts: 16,313 +36

Andrewnyc0129

Posts: 7 +0

Bobbye

Posts: 16,313 +36

Andrewnyc0129

Posts: 7 +0

Bobbye

Posts: 16,313 +36

Bobbye

Posts: 16,313 +36

Similar threads

Latest posts