Inactive I have some sort of virus or malware (need help)

[pkr4599]

I think i have google redirect virus, and my computer is really slow...

 

[Bobbye]

Welcome to TechSpot! I'll be glad to help sort out the problem.

My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
=========================================
Any malware can cause a search to be directed. Google is getting the wrap because most people use Google for their search engine. If you do a Google search, then choose one of the site on the page, but get taken to some other site instead, then you probably are being redirected. If you are experiencing something different, you need to let me know what it is.

As far as "slow", there are many things that can cause a computer to run slow- either slow to load and shut down, low to surf or all. Please describe what "slow" means to you. Tell me how much RAM is installed and whether you have recently been downloading programs or apps- and 'what' is slow- slow to open programs? Slow to connect to the internet? Slow to go site to site? Other?.

 

[pkr4599]

Thank you for your response and thank you in advance for your help

Ok got several issues...

Lately I have googled something and when i click on the link it takes me to several places and if i go back on the browser it is a different page, and not the google link...

EX: I googled trend micro house call and it came up, when i clicked on it it took me to a search page, then i hit back and it was a buy rx drug page...

secondly, I had an odd virus scanner that randomly showed up on my desktop. It looked like a windows virus scan but it did not have a name and after that it would not let me do anything... I started it in safe mode and removed the file, but i certainly did not download it...

I downloaded Avira antivirus and it found 8 at first and then more when i restarted... i have deleted a number of programs as well today... here is what avira shows...



Avira AntiVir Personal
Report file date: Monday, August 29, 2011 17:36

Scanning for 3310245 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : PKR4599
Computer name : PKR4599-PC

Version information:
BUILD.DAT : 10.2.0.700 35934 Bytes 7/21/2011 17:12:00
AVSCAN.EXE : 10.3.0.7 484008 Bytes 7/21/2011 16:12:28
AVSCAN.DLL : 10.0.5.0 47464 Bytes 7/21/2011 16:15:00
LUKE.DLL : 10.3.0.5 45416 Bytes 7/21/2011 16:13:59
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
AVSCPLR.DLL : 10.3.0.7 119656 Bytes 7/21/2011 16:12:28
AVREG.DLL : 10.3.0.9 90472 Bytes 7/21/2011 16:12:21
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 11:53:55
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 11:53:56
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 16:14:25
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 16:14:28
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 16:14:29
VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 21:32:11
VBASE007.VDF : 7.11.13.61 2048 Bytes 8/16/2011 21:32:11
VBASE008.VDF : 7.11.13.62 2048 Bytes 8/16/2011 21:32:11
VBASE009.VDF : 7.11.13.63 2048 Bytes 8/16/2011 21:32:11
VBASE010.VDF : 7.11.13.64 2048 Bytes 8/16/2011 21:32:11
VBASE011.VDF : 7.11.13.65 2048 Bytes 8/16/2011 21:32:11
VBASE012.VDF : 7.11.13.66 2048 Bytes 8/16/2011 21:32:12
VBASE013.VDF : 7.11.13.95 166400 Bytes 8/17/2011 21:32:14
VBASE014.VDF : 7.11.13.125 209920 Bytes 8/18/2011 21:32:16
VBASE015.VDF : 7.11.13.157 184832 Bytes 8/22/2011 21:32:18
VBASE016.VDF : 7.11.13.201 128000 Bytes 8/24/2011 21:32:19
VBASE017.VDF : 7.11.13.234 160768 Bytes 8/25/2011 21:32:21
VBASE018.VDF : 7.11.13.235 2048 Bytes 8/25/2011 21:32:21
VBASE019.VDF : 7.11.13.236 2048 Bytes 8/25/2011 21:32:21
VBASE020.VDF : 7.11.13.237 2048 Bytes 8/25/2011 21:32:21
VBASE021.VDF : 7.11.13.238 2048 Bytes 8/25/2011 21:32:21
VBASE022.VDF : 7.11.13.239 2048 Bytes 8/25/2011 21:32:22
VBASE023.VDF : 7.11.13.240 2048 Bytes 8/25/2011 21:32:22
VBASE024.VDF : 7.11.13.241 2048 Bytes 8/25/2011 21:32:22
VBASE025.VDF : 7.11.13.242 2048 Bytes 8/25/2011 21:32:22
VBASE026.VDF : 7.11.13.243 2048 Bytes 8/25/2011 21:32:22
VBASE027.VDF : 7.11.13.244 2048 Bytes 8/25/2011 21:32:22
VBASE028.VDF : 7.11.13.245 2048 Bytes 8/25/2011 21:32:23
VBASE029.VDF : 7.11.13.246 2048 Bytes 8/25/2011 21:32:23
VBASE030.VDF : 7.11.13.247 2048 Bytes 8/25/2011 21:32:23
VBASE031.VDF : 7.11.14.14 138240 Bytes 8/29/2011 21:32:24
Engineversion : 8.2.6.50
AEVDF.DLL : 8.1.2.1 106868 Bytes 4/21/2011 11:53:28
AESCRIPT.DLL : 8.1.3.76 1626490 Bytes 8/29/2011 21:32:51
AESCN.DLL : 8.1.7.2 127349 Bytes 4/21/2011 11:53:27
AESBX.DLL : 8.2.1.34 323957 Bytes 7/21/2011 16:11:50
AERDL.DLL : 8.1.9.13 639349 Bytes 7/21/2011 16:11:49
AEPACK.DLL : 8.2.10.9 684406 Bytes 8/29/2011 21:32:47
AEOFFICE.DLL : 8.1.2.13 201083 Bytes 8/29/2011 21:32:45
AEHEUR.DLL : 8.1.2.161 3641720 Bytes 8/29/2011 21:32:43
AEHELP.DLL : 8.1.17.7 254327 Bytes 8/29/2011 21:32:32
AEGEN.DLL : 8.1.5.9 401780 Bytes 8/29/2011 21:32:31
AEEMU.DLL : 8.1.3.0 393589 Bytes 4/21/2011 11:53:14
AECORE.DLL : 8.1.23.0 196983 Bytes 8/29/2011 21:32:28
AEBB.DLL : 8.1.1.0 53618 Bytes 4/21/2011 11:53:14
AVWINLL.DLL : 10.0.0.0 19304 Bytes 4/21/2011 11:53:36
AVPREF.DLL : 10.0.3.2 44904 Bytes 7/21/2011 16:12:20
AVREP.DLL : 10.0.0.10 174120 Bytes 7/21/2011 16:12:22
AVARKT.DLL : 10.0.26.1 255336 Bytes 7/21/2011 16:12:00
AVEVTLOG.DLL : 10.0.0.9 203112 Bytes 7/21/2011 16:12:10
SQLITE3.DLL : 3.6.19.0 355688 Bytes 7/21/2011 19:12:31
AVSMTP.DLL : 10.0.0.17 63848 Bytes 4/21/2011 11:53:36
NETNT.DLL : 10.0.0.0 11624 Bytes 4/21/2011 11:53:46
RCIMAGE.DLL : 10.0.0.35 2589544 Bytes 7/21/2011 16:15:09
RCTEXT.DLL : 10.0.64.0 97640 Bytes 7/21/2011 16:15:09

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: Default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Advanced

Start of the scan: Monday, August 29, 2011 17:36

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'SearchFilterHost.exe' - '33' Module(s) have been scanned
Scan process 'SearchProtocolHost.exe' - '52' Module(s) have been scanned
Scan process 'msiexec.exe' - '65' Module(s) have been scanned
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'vssvc.exe' - '56' Module(s) have been scanned
Scan process 'avscan.exe' - '76' Module(s) have been scanned
Scan process 'avcenter.exe' - '95' Module(s) have been scanned
Scan process 'avgnt.exe' - '51' Module(s) have been scanned
Scan process 'sched.exe' - '56' Module(s) have been scanned
Scan process 'avshadow.exe' - '33' Module(s) have been scanned
Scan process 'avguard.exe' - '64' Module(s) have been scanned
Scan process 'Safari.exe' - '175' Module(s) have been scanned
Module is OK -> <C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll>
[WARNING] The file could not be opened!
Scan process 'utilman.exe' - '26' Module(s) have been scanned
Scan process 'utilman.exe' - '25' Module(s) have been scanned
Scan process 'utilman.exe' - '26' Module(s) have been scanned
Scan process 'utilman.exe' - '25' Module(s) have been scanned
Scan process 'taskeng.exe' - '55' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '65' Module(s) have been scanned
Scan process 'unsecapp.exe' - '34' Module(s) have been scanned
Scan process 'iPodService.exe' - '30' Module(s) have been scanned
Scan process 'ehmsas.exe' - '24' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '31' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '69' Module(s) have been scanned
Scan process 'ehtray.exe' - '29' Module(s) have been scanned
Scan process 'jusched.exe' - '32' Module(s) have been scanned
Scan process 'FLVSrvc.exe' - '20' Module(s) have been scanned
Scan process 'RUBottedGUI.exe' - '95' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '77' Module(s) have been scanned
Scan process 'igfxpers.exe' - '26' Module(s) have been scanned
Scan process 'hkcmd.exe' - '26' Module(s) have been scanned
Scan process 'RtHDVCpl.exe' - '50' Module(s) have been scanned
Scan process 'Explorer.EXE' - '157' Module(s) have been scanned
Scan process 'taskeng.exe' - '72' Module(s) have been scanned
Scan process 'Dwm.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '60' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '21' Module(s) have been scanned
Scan process 'CLSched.exe' - '41' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '67' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'RUBotSrv.exe' - '31' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'SlingAgentService.exe' - '26' Module(s) have been scanned
Scan process 'RichVideo.exe' - '22' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '22' Module(s) have been scanned
Scan process 'SMSvcHost.exe' - '39' Module(s) have been scanned
Scan process 'svchost.exe' - '22' Module(s) have been scanned
Scan process 'MDM.EXE' - '23' Module(s) have been scanned
Scan process 'EvtEng.exe' - '88' Module(s) have been scanned
Scan process 'CLCapSvc.exe' - '83' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'svchost.exe' - '61' Module(s) have been scanned
Scan process 'spoolsv.exe' - '90' Module(s) have been scanned
Scan process 'WLANExt.exe' - '92' Module(s) have been scanned
Scan process 'svchost.exe' - '99' Module(s) have been scanned
Scan process 'svchost.exe' - '86' Module(s) have been scanned
Scan process 'SLsvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '154' Module(s) have been scanned
Scan process 'svchost.exe' - '114' Module(s) have been scanned
Scan process 'svchost.exe' - '69' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'winlogon.exe' - '36' Module(s) have been scanned
Scan process 'lsm.exe' - '22' Module(s) have been scanned
Scan process 'lsass.exe' - '62' Module(s) have been scanned
Scan process 'services.exe' - '33' Module(s) have been scanned
Scan process 'wininit.exe' - '26' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1323' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Users\PKR4599\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\1b985859-69cb1bf7
[DETECTION] Contains recognition pattern of the EXP/2010-4452.C.3 exploit
C:\Users\PKR4599\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\269cd379-72f9b3d4
[0] Archive type: ZIP
--> javax/AServers.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.DT Java virus
--> javax/Server1.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Agen.FE.1 Java virus
--> javax/Server2.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Agent.FE Java virus
C:\Users\PKR4599\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\42c01087-1844f4d3
[0] Archive type: ZIP
--> Email.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.DU Java virus
--> ExecService.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.DR.4 Java virus
C:\Windows\Temp\276F.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Windows\Temp\34E8.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
Begin scan in 'D:\' <LENOVO>

Beginning disinfection:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
C:\Windows\Temp\34E8.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4a11b773.qua'.
C:\Windows\Temp\276F.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '52b598d7.qua'.
C:\Users\PKR4599\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\42c01087-1844f4d3
[DETECTION] Contains recognition pattern of the JAVA/Agent.DR.4 Java virus
[NOTE] The file was moved to the quarantine directory under the name '00c7c23b.qua'.
C:\Users\PKR4599\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\269cd379-72f9b3d4
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Agent.FE Java virus
[NOTE] The file was moved to the quarantine directory under the name '66da8dfd.qua'.
C:\Users\PKR4599\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\1b985859-69cb1bf7
[DETECTION] Contains recognition pattern of the EXP/2010-4452.C.3 exploit
[NOTE] The file was moved to the quarantine directory under the name '235ea037.qua'.


End of the scan: Monday, August 29, 2011 18:56
Used time: 1:18:44 Hour(s)

The scan has been done completely.

28551 Scanned directories
470930 Files were scanned
8 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
5 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
470921 Files not concerned
2056 Archives were scanned
1 Warnings
5 Notes
640301 Objects were scanned with rootkit scan
0 Hidden objects were found

The next one:
Starting the file scan:

Begin scan in 'C:\Windows\Temp\0.9004026727451206.exe'
C:\Windows\Temp\0.9004026727451206.exe
--> Object
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'C:\Windows\Temp\0.5933440170871581.exe'
C:\Windows\Temp\0.5933440170871581.exe
--> Object
[DETECTION] Is the TR/Dropper.Gen Trojan

Beginning disinfection:
C:\Windows\Temp\0.5933440170871581.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4bbc8a9d.qua'.
C:\Windows\Temp\0.9004026727451206.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '532fa53a.qua'.


End of the scan: Monday, August 29, 2011 20:14
Used time: 00:00 Minute(s)

The scan has been done completely.

0 Scanned directories
74 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
72 Files not concerned
0 Archives were scanned
0 Warnings
2 Notes


I have an intel core duo 2.0 processor and 3gigs of ram...

By slow, I mean sometimes it takes a bit longer to do everything... Sometimes it sends error messages... Earlier I tried to right click the start button to explore and it took like 2 mins and gave an error message... Also slow to get to a site but i have deleted several programs I dont think I need and downloaded the avira program.

 

[Bobbye]

Please continue with the steps in the link I left..

The instructions in the steps for Avast and Avira state that if you have a functioning, updated AV, do not download another AV. So if you have 2 AV now remove one of them. I'm not going to act on the scan as I will have you run an online scan later.

You are describing a redirect. Hopefully that will resolve when we finsd and remove the malware.

Sometimes it sends error messages
explore and it took like 2 mins and gave an error message...

What is the message?

i have deleted several programs I don't think I need

Hold on uninstalling for now.

I had an odd virus scanner that randomly showed up on my desktop.

This will be a rogue spyware program that will tell you there are virus or system problems so don't act on those alerts.

 

[pkr4599]

pop up messages

There have been several messages....

When I right click on start menu it took much longer than normal and said something like microsoft explorer is not working... Then it opened

Other messages include: "your google toolbar is not working, or windows has deactivated google toolbar" when i was not actively doing anything on the internet.

Also, I ran the malwarebytes... Below:
Since then it has poped up saying "it has a potentially a harmful website from opening ....ip address... port ... outgoing..."
This is happening once a minute or so...


Log 1:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7607

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

8/29/2011 11:27:45 PM
mbam-log-2011-08-29 (23-27-45).txt

Scan type: Quick scan
Objects scanned: 179695
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\$RECYCLE.BIN\s-1-5-21-2334243749-4289735363-2917608400-1004\$R0KL7RR.exe (Rogue.SecurityProtection) -> Quarantined and deleted successfully.
c:\Users\PKR4599\local settings\application data\utilman.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\Temp\0.0032638488820961875.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Windows\Temp\0.34204682402370423.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Windows\Temp\0.35492247697275514.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Windows\Temp\0.0694536658114896.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Windows\Temp\0.4658650335313247.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Windows\Temp\0.5025280783290336.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Windows\Temp\0.6471331976024879.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Windows\Temp\0.9397806567125857.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Windows\Temp\0.9423741300686167.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Windows\Temp\0.683877108682626.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.


Edit: 2nd Mbam log deleted by Bobbye. Leaving this original log.

 

[Bobbye]

You can stop running Malwarebytes for now. Pleas continue on with the rest of the steps.

 

[pkr4599]

gmer scan

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-31 14:17:16
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.FBEO
Running: 3GMER.exe; Driver: C:\Windows\TEMP\pxriyfob.sys

Edit: Old GMER log deleted by Bobbye

 

[pkr4599]

dds scan

Edit: Old DDS log deleted by Bobbye

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.5.0_12
Run by PKR4599 at 14:24:19 on 2011-08-31

 

[pkr4599]

attach

Edit: Old log deleted by bobbye.

 

[Bobbye]

Okay- you description in 'first' is definitely a redirect.

The description in 'second' sounds like a rogue malware program. These 'scareware' programs tell you the system has infections, or errors and you need to click on their link to 'fix' them. But the 'problems have been 'invented' for the scam to trick you into buying.

I think it is the (Rogue.SecurityProtection) that was found in the Recycle Bin. Please do a right click on the bin and empty the trash!
=====================================
The Exploit entries quarantined in Mbam are usually found in the Java cache. You will get malware there when you have outdated Java on the system.
I note you do have the current Java v6u27 But you still have addons for with Java v5u12 as an addon in IE and you have Java v=5 with updates, 12, 13, 14, 15 in Firefox. Java doesn't overwrite the previous update so you need to update immediately: Java Updates . Uninstall all Versions of outdated Java in Add/Remove programs in Add/Remove Programs as they are vulnerabilities for the system.
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
[b[You do not need a separate plugin for Firefox/[/b]
=================================
The Java cache needs to be emptied:
To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel.
  
  The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  
  
  
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com
====================================
Did you have any antivirus program running before you installed Avira
======================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

All logs in next reply please.

You comment qt the end of the Avira scan that "Sometimes it sends error messages." for me to work with that, I need to know what you were doing or trying to do when you got the message and what the message said.

 

[pkr4599]

combofix

ComboFix 11-09-01.03 - PKR4599 09/02/2011 13:01:50.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3063.1708 [GMT -4:00]
Running from: c:\users\PKR4599\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
c:\users\PKR4599\67.xps
c:\users\PKR4599\Documents\~WRL1126.tmp
c:\users\PKR4599\Documents\~WRL1492.tmp
c:\users\PKR4599\Documents\~WRL1691.tmp
c:\users\PKR4599\Documents\~WRL2118.tmp
c:\users\PKR4599\Documents\~WRL2902.tmp
c:\users\PKR4599\Documents\~WRL3214.tmp
c:\users\PKR4599\Documents\~WRL3250.tmp
c:\users\PKR4599\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-02 to 2011-09-02 )))))))))))))))))))))))))))))))
.
.
2011-09-02 17:07 . 2011-09-02 17:07 -------- d-----w- c:\users\PKR4599\AppData\Local\temp
2011-09-02 17:07 . 2011-09-02 17:07 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-09-02 17:07 . 2011-09-02 17:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-30 03:09 . 2011-08-30 03:09 -------- d-----w- c:\users\PKR4599\AppData\Roaming\Malwarebytes
2011-08-30 03:09 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-30 03:09 . 2011-08-30 03:09 -------- d-----w- c:\programdata\Malwarebytes
2011-08-30 03:09 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-30 00:25 . 2011-09-02 16:10 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-08-30 00:25 . 2011-09-02 16:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-29 21:33 . 2011-08-29 21:33 -------- d-----w- c:\users\PKR4599\AppData\Roaming\Avira
2011-08-29 21:30 . 2011-07-21 16:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-29 21:30 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-29 21:30 . 2011-08-29 21:30 -------- d-----w- c:\programdata\Avira
2011-08-29 21:30 . 2011-08-29 21:30 -------- d-----w- c:\program files\Avira
2011-08-29 19:47 . 2011-08-30 00:06 -------- d-----w- c:\program files\PC Tools Security
2011-08-29 19:39 . 2011-08-29 21:10 -------- d-----w- c:\programdata\PC Tools
2011-08-26 14:52 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5EF5FD60-C260-46F0-9806-1CFB879118C5}\mpengine.dll
2011-08-24 18:30 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-17 16:33 . 2011-08-17 16:33 22032 ----a-w- c:\windows\DCEBoot.exe
2011-08-09 20:45 . 2011-06-17 16:03 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-09 20:45 . 2011-07-06 15:31 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-09 20:45 . 2011-06-06 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-08-09 20:45 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-09 20:45 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-09 20:45 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-09 21:52 . 2011-07-09 21:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-13 14:38 . 2011-06-13 14:38 161792 ----a-w- c:\windows\system32\msls31.dll
2011-06-13 14:38 . 2011-06-13 14:38 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-06-13 14:38 . 2011-06-13 14:38 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-06-13 14:38 . 2011-06-13 14:38 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-06-13 14:38 . 2011-06-13 14:38 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-06-13 14:38 . 2011-06-13 14:38 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-06-13 14:38 . 2011-06-13 14:38 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-06-13 14:38 . 2011-06-13 14:38 367104 ----a-w- c:\windows\system32\html.iec
2011-06-13 14:38 . 2011-06-13 14:38 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-13 14:38 . 2011-06-13 14:38 152064 ----a-w- c:\windows\system32\wextract.exe
2011-06-13 14:38 . 2011-06-13 14:38 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-06-13 14:38 . 2011-06-13 14:38 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-13 14:38 . 2011-06-13 14:38 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-06-13 14:38 . 2011-06-13 14:38 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-06-13 14:38 . 2011-06-13 14:38 11776 ----a-w- c:\windows\system32\mshta.exe
2011-06-13 14:38 . 2011-06-13 14:38 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-06-13 14:38 . 2011-06-13 14:38 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-06-13 14:38 . 2011-06-13 14:38 101888 ----a-w- c:\windows\system32\admparse.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2010-10-18 17:26 3908192 ----a-w- c:\program files\Freecorder\tbFree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-08 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 4702208]
"Skytel"="Skytel.exe" [2007-10-11 1826816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"Malwarebytes' Anti-Malware"="c:\users\PKR4599\Desktop\Anti VirusMalware\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
"Malwarebytes' Anti-Malware (reboot)"="c:\users\PKR4599\Desktop\Anti VirusMalware\Malwarebytes\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\users\PKR4599\Desktop\Anti VirusMalware\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-11-10 18:13 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 11:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-22 09:31 630784 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-08 22:48 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-03-01 13:24 857648 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 135664]
R3 CapFilt;CapFilt; [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 135664]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
S2 MBAMService;MBAMService;c:\users\PKR4599\Desktop\Anti VirusMalware\Malwarebytes\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 SlingAgentService;SlingAgent Service;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2008-09-21 93960]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 21520]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 22:48]
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 22:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 66.0.214.14 207.230.75.50
FF - ProfilePath - c:\users\PKR4599\AppData\Roaming\Mozilla\Firefox\Profiles\1pxn59ft.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
MSConfigStartUp-BDAgent - c:\program files\BitDefender\BitDefender 2009\bdagent.exe
MSConfigStartUp-dvd43 - c:\program files\dvd43\dvd43_tray.exe
MSConfigStartUp-PCMService - c:\program files\Lenovo\ShuttleCenter\PCMService.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-Windows Mobile Device Center - c:\windows\WindowsMobile\wmdc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-02 13:07
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2944)
c:\users\PKR4599\AppData\Local\FLVService\lib\FLVSrvLib.dll
.
Completion time: 2011-09-02 13:09:49
ComboFix-quarantined-files.txt 2011-09-02 17:09
ComboFix2.txt 2009-06-11 21:16
.
Pre-Run: 58,528,448,512 bytes free
Post-Run: 58,685,669,376 bytes free
.
- - End Of File - - 2E1AEC6DBE234F13FA1960C0A8F4305F

 

[pkr4599]

unknown icon on desktop

I have an icon that looks like a piece of paper and its named mozilla firefox. I can not delete it... please advise..

Here is the avira scan:




Avira AntiVir Personal
Report file date: Friday, September 02, 2011 14:26

Scanning for 3327751 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : PKR4599
Computer name : PKR4599-PC

Version information:
BUILD.DAT : 10.2.0.700 35934 Bytes 7/21/2011 17:12:00
AVSCAN.EXE : 10.3.0.7 484008 Bytes 7/21/2011 16:12:28
AVSCAN.DLL : 10.0.5.0 47464 Bytes 7/21/2011 16:15:00
LUKE.DLL : 10.3.0.5 45416 Bytes 7/21/2011 16:13:59
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
AVSCPLR.DLL : 10.3.0.7 119656 Bytes 7/21/2011 16:12:28
AVREG.DLL : 10.3.0.9 90472 Bytes 7/21/2011 16:12:21
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 11:53:55
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 11:53:56
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 16:14:25
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 16:14:28
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 16:14:29
VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 21:32:11
VBASE007.VDF : 7.11.13.61 2048 Bytes 8/16/2011 21:32:11
VBASE008.VDF : 7.11.13.62 2048 Bytes 8/16/2011 21:32:11
VBASE009.VDF : 7.11.13.63 2048 Bytes 8/16/2011 21:32:11
VBASE010.VDF : 7.11.13.64 2048 Bytes 8/16/2011 21:32:11
VBASE011.VDF : 7.11.13.65 2048 Bytes 8/16/2011 21:32:11
VBASE012.VDF : 7.11.13.66 2048 Bytes 8/16/2011 21:32:12
VBASE013.VDF : 7.11.13.95 166400 Bytes 8/17/2011 21:32:14
VBASE014.VDF : 7.11.13.125 209920 Bytes 8/18/2011 21:32:16
VBASE015.VDF : 7.11.13.157 184832 Bytes 8/22/2011 21:32:18
VBASE016.VDF : 7.11.13.201 128000 Bytes 8/24/2011 21:32:19
VBASE017.VDF : 7.11.13.234 160768 Bytes 8/25/2011 21:32:21
VBASE018.VDF : 7.11.14.16 141312 Bytes 8/30/2011 01:12:54
VBASE019.VDF : 7.11.14.48 133120 Bytes 8/31/2011 01:12:56
VBASE020.VDF : 7.11.14.49 2048 Bytes 8/31/2011 01:12:56
VBASE021.VDF : 7.11.14.50 2048 Bytes 8/31/2011 01:12:56
VBASE022.VDF : 7.11.14.51 2048 Bytes 8/31/2011 01:12:56
VBASE023.VDF : 7.11.14.52 2048 Bytes 8/31/2011 01:12:57
VBASE024.VDF : 7.11.14.53 2048 Bytes 8/31/2011 01:12:57
VBASE025.VDF : 7.11.14.54 2048 Bytes 8/31/2011 01:12:57
VBASE026.VDF : 7.11.14.55 2048 Bytes 8/31/2011 01:12:58
VBASE027.VDF : 7.11.14.56 2048 Bytes 8/31/2011 01:12:58
VBASE028.VDF : 7.11.14.57 2048 Bytes 8/31/2011 01:12:58
VBASE029.VDF : 7.11.14.58 2048 Bytes 8/31/2011 01:12:59
VBASE030.VDF : 7.11.14.59 2048 Bytes 8/31/2011 01:12:59
VBASE031.VDF : 7.11.14.73 124928 Bytes 9/2/2011 15:52:27
Engineversion : 8.2.6.54
AEVDF.DLL : 8.1.2.1 106868 Bytes 4/21/2011 11:53:28
AESCRIPT.DLL : 8.1.3.76 1626490 Bytes 8/29/2011 21:32:51
AESCN.DLL : 8.1.7.2 127349 Bytes 4/21/2011 11:53:27
AESBX.DLL : 8.2.1.34 323957 Bytes 7/21/2011 16:11:50
AERDL.DLL : 8.1.9.13 639349 Bytes 7/21/2011 16:11:49
AEPACK.DLL : 8.2.10.10 684407 Bytes 9/2/2011 15:53:02
AEOFFICE.DLL : 8.1.2.13 201083 Bytes 8/29/2011 21:32:45
AEHEUR.DLL : 8.1.2.164 3654007 Bytes 9/2/2011 15:52:55
AEHELP.DLL : 8.1.17.7 254327 Bytes 8/29/2011 21:32:32
AEGEN.DLL : 8.1.5.9 401780 Bytes 8/29/2011 21:32:31
AEEMU.DLL : 8.1.3.0 393589 Bytes 4/21/2011 11:53:14
AECORE.DLL : 8.1.23.0 196983 Bytes 8/29/2011 21:32:28
AEBB.DLL : 8.1.1.0 53618 Bytes 4/21/2011 11:53:14
AVWINLL.DLL : 10.0.0.0 19304 Bytes 4/21/2011 11:53:36
AVPREF.DLL : 10.0.3.2 44904 Bytes 7/21/2011 16:12:20
AVREP.DLL : 10.0.0.10 174120 Bytes 7/21/2011 16:12:22
AVARKT.DLL : 10.0.26.1 255336 Bytes 7/21/2011 16:12:00
AVEVTLOG.DLL : 10.0.0.9 203112 Bytes 7/21/2011 16:12:10
SQLITE3.DLL : 3.6.19.0 355688 Bytes 7/21/2011 19:12:31
AVSMTP.DLL : 10.0.0.17 63848 Bytes 4/21/2011 11:53:36
NETNT.DLL : 10.0.0.0 11624 Bytes 4/21/2011 11:53:46
RCIMAGE.DLL : 10.0.0.35 2589544 Bytes 7/21/2011 16:15:09
RCTEXT.DLL : 10.0.64.0 97640 Bytes 7/21/2011 16:15:09

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: Default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Advanced

Start of the scan: Friday, September 02, 2011 14:26

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'chrome.exe' - '43' Module(s) have been scanned
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'vssvc.exe' - '49' Module(s) have been scanned
Scan process 'avscan.exe' - '72' Module(s) have been scanned
Scan process 'chrome.exe' - '43' Module(s) have been scanned
Scan process 'chrome.exe' - '85' Module(s) have been scanned
Scan process 'Explorer.exe' - '128' Module(s) have been scanned
Scan process 'mbamservice.exe' - '50' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '21' Module(s) have been scanned
Scan process 'iPodService.exe' - '30' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '33' Module(s) have been scanned
Scan process 'ehmsas.exe' - '24' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '68' Module(s) have been scanned
Scan process 'ehtray.exe' - '28' Module(s) have been scanned
Scan process 'unsecapp.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '61' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '30' Module(s) have been scanned
Scan process 'mbamgui.exe' - '41' Module(s) have been scanned
Scan process 'wmdcBase.exe' - '37' Module(s) have been scanned
Scan process 'avgnt.exe' - '59' Module(s) have been scanned
Scan process 'FLVSrvc.exe' - '19' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '76' Module(s) have been scanned
Scan process 'igfxpers.exe' - '25' Module(s) have been scanned
Scan process 'hkcmd.exe' - '25' Module(s) have been scanned
Scan process 'RtHDVCpl.exe' - '49' Module(s) have been scanned
Scan process 'taskeng.exe' - '86' Module(s) have been scanned
Scan process 'Dwm.exe' - '36' Module(s) have been scanned
Scan process 'taskeng.exe' - '49' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '67' Module(s) have been scanned
Scan process 'svchost.exe' - '9' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'SlingAgentService.exe' - '26' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '22' Module(s) have been scanned
Scan process 'SMSvcHost.exe' - '39' Module(s) have been scanned
Scan process 'svchost.exe' - '22' Module(s) have been scanned
Scan process 'MDM.EXE' - '23' Module(s) have been scanned
Scan process 'avshadow.exe' - '33' Module(s) have been scanned
Scan process 'EvtEng.exe' - '88' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'avguard.exe' - '75' Module(s) have been scanned
Scan process 'svchost.exe' - '57' Module(s) have been scanned
Scan process 'sched.exe' - '56' Module(s) have been scanned
Scan process 'spoolsv.exe' - '87' Module(s) have been scanned
Scan process 'WLANExt.exe' - '92' Module(s) have been scanned
Scan process 'svchost.exe' - '100' Module(s) have been scanned
Scan process 'svchost.exe' - '86' Module(s) have been scanned
Scan process 'SLsvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '149' Module(s) have been scanned
Scan process 'svchost.exe' - '114' Module(s) have been scanned
Scan process 'svchost.exe' - '69' Module(s) have been scanned
Scan process 'svchost.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'winlogon.exe' - '36' Module(s) have been scanned
Scan process 'lsm.exe' - '22' Module(s) have been scanned
Scan process 'lsass.exe' - '62' Module(s) have been scanned
Scan process 'services.exe' - '33' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'wininit.exe' - '26' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1191' files ).


Starting the file scan:

Begin scan in 'C:\'
Begin scan in 'D:\' <LENOVO>


End of the scan: Friday, September 02, 2011 16:22
Used time: 1:55:57 Hour(s)

The scan has been done completely.

27779 Scanned directories
366040 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
366040 Files not concerned
1941 Archives were scanned
0 Warnings
0 Notes
614944 Objects were scanned with rootkit scan
0 Hidden objects were found

 

[pkr4599]

malwarebytes

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7637

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

9/2/2011 5:01:01 PM
mbam-log-2011-09-02 (17-01-01).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 307010
Time elapsed: 2 hour(s), 15 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[pkr4599]

gmer quick scan and gmer full

Edit: Duplicate GMER deleted by Bobbye



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-02 17:52:12
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.FBEO
Running: 3GMER.exe; Driver: C:\Windows\TEMP\pxriyfob.sys


---- System - GMER 1.0.15 ----

SSDT 8D0FBEBE ZwCreateSection
SSDT 8D0FBEC3 ZwSetContextThread
SSDT 8D0FBE5F ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 215 824E6998 4 Bytes [BE, BE, 0F, 8D]
.text ntkrnlpa.exe!KeSetEvent + 56D 824E6CF0 4 Bytes [C3, BE, 0F, 8D]
.text ntkrnlpa.exe!KeSetEvent + 621 824E6DA4 4 Bytes [5F, BE, 0F, 8D]
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\Windows\TEMP\catchme.sys The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [74797817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [747EA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7479BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [7478F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [747975E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [7478E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [747C8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [7479DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [7478FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [7478FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [747871CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [7481CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [747BC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [7478D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [74786853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [7478687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2944] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [74792AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

 

[pkr4599]

dds

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_27
Run by PKR4599 at 18:00:22 on 2011-09-02
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3063.1336 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Users\PKR4599\Desktop\Anti VirusMalware\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k HPService
C:\Users\PKR4599\Desktop\Anti VirusMalware\Malwarebytes\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\Explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
uURLSearchHooks: H - No File
mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: CPub Object: {c86ae9c0-0909-4ddc-b661-c1afb9f5ae53} - c:\program files\firetrust\sitehound\SiteHound.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: SiteHound: {73f7f495-a325-4c52-be48-5f97fa511e89} - c:\program files\firetrust\sitehound\SiteHound.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe
mRun: [Malwarebytes' Anti-Malware] "c:\users\pkr4599\desktop\anti virusmalware\malwarebytes\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\users\pkr4599\desktop\anti virusmalware\malwarebytes\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\users\pkr4599\desktop\anti virusmalware\malwarebytes\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - c:\program files\lenovo\veriface\OpenWnd.exe
IE: {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - {73F7F495-A325-4C52-BE48-5F97FA511E89} - c:\program files\firetrust\sitehound\SiteHound.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 66.0.214.14 207.230.75.50
TCP: Interfaces\{2E64BAD0-6599-45D7-97AB-7E4EC519DCFB} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{CA5845D8-2E03-4447-A695-B68C12E555A0} : DhcpNameServer = 66.0.214.14 207.230.75.50
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\pkr4599\appdata\roaming\mozilla\firefox\profiles\1pxn59ft.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\pkr4599\appdata\roaming\mozilla\firefox\profiles\1pxn59ft.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-29 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-29 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-29 66616]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-14 21504]
R2 MBAMService;MBAMService;c:\users\pkr4599\desktop\anti virusmalware\malwarebytes\malwarebytes' anti-malware\mbamservice.exe [2011-8-29 366640]
R2 SlingAgentService;SlingAgent Service;c:\program files\sling media\slingagent\SlingAgentService.exe [2008-9-21 93960]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-5-19 21520]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-7-22 180736]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-29 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-8 135664]
S3 CapFilt;CapFilt;c:\windows\system32\drivers\CapFilt.sys [2008-9-14 18048]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-8 135664]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-02 17:09:51 -------- d-----w- c:\users\pkr4599\appdata\local\temp
2011-09-02 17:08:46 -------- d-sh--w- C:\$RECYCLE.BIN
2011-09-02 16:59:29 208896 ----a-w- c:\windows\MBR.exe
2011-08-30 03:09:31 -------- d-----w- c:\users\pkr4599\appdata\roaming\Malwarebytes
2011-08-30 03:09:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-30 03:09:26 -------- d-----w- c:\programdata\Malwarebytes
2011-08-30 03:09:22 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-30 00:25:10 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-08-30 00:25:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-29 21:33:48 -------- d-----w- c:\users\pkr4599\appdata\roaming\Avira
2011-08-29 21:30:37 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-29 21:30:36 -------- d-----w- c:\programdata\Avira
2011-08-29 21:30:36 -------- d-----w- c:\program files\Avira
2011-08-29 19:47:07 -------- d-----w- c:\program files\PC Tools Security
2011-08-29 19:39:16 -------- d-----w- c:\programdata\PC Tools
2011-08-26 14:52:00 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5ef5fd60-c260-46f0-9806-1cfb879118c5}\mpengine.dll
2011-08-24 18:30:23 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-17 16:33:18 22032 ----a-w- c:\windows\DCEBoot.exe
2011-08-09 20:45:50 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-09 20:45:48 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-09 20:45:45 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-08-09 20:45:34 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-09 20:45:34 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-09 20:45:31 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
==================== Find3M ====================
.
2011-08-17 16:36:53 81984 ----a-w- c:\windows\system32\bdod.bin
2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-09 21:52:51 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe
.
============= FINISH: 18:00:48.24 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 9/14/2008 4:03:56 AM
System Uptime: 9/2/2011 11:49:39 AM (7 hours ago)
.
Motherboard: LENOVO | | SPEEDY
Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | Socket 478 | 2000/167mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 189 GiB total, 55.743 GiB free.
D: is FIXED (NTFS) - 27 GiB total, 27.165 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Officejet Pro L7500
Device ID: ROOT\IMAGE\0000
Manufacturer: Hewlett-Packard
Name: Officejet Pro L7500
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Officejet Pro L7500
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet Pro L7500
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
RP892: 8/28/2011 5:39:21 PM - Scheduled Checkpoint
RP893: 8/29/2011 1:32:40 PM - Scheduled Checkpoint
RP894: 8/29/2011 5:45:15 PM - Removed W Photo Studio
RP895: 8/29/2011 8:23:37 PM - Installed Java(TM) 6 Update 27
RP896: 8/29/2011 8:25:24 PM - Removed Java(TM) 6 Update 27
RP897: 8/29/2011 8:30:17 PM - Removed Windows Mobile Device Center Driver Update
RP898: 8/29/2011 8:31:18 PM - Removed Windows Mobile Device Center
RP899: 8/29/2011 8:32:41 PM - Removed TurboApps WinMobile Conduit
RP900: 8/29/2011 8:36:02 PM - Removed MSXML 4.0 SP2 (KB973688)
RP901: 8/30/2011 1:18:49 PM - Scheduled Checkpoint
RP902: 8/31/2011 1:32:34 PM - Scheduled Checkpoint
RP903: 9/2/2011 12:09:50 PM - Installed Java(TM) 6 Update 27
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
BPD_Scan
Broadcom Gigabit Integrated Controller
CallAtlanta
Compatibility Pack for the 2007 Office system
Documents To Go
EasyCapture
Freecorder
Freecorder Toolbar
Garmin USB Drivers
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HouseCall 6.6
HP Driver Diagnostics
HP Officejet Pro All-In-One Series
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
iTunes
J2SE Runtime Environment 5.0 Update 12
Java Auto Updater
Java(TM) 6 Update 27
Lenovo Easy Camera
Malwarebytes' Anti-Malware version 1.51.1.1800
mCore
mDriver
mHelp
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office Professional Edition 2003
Microsoft Office Small Business Connectivity Components
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
mMHouse
MobileMe Control Panel
Motorola SM56 Speakerphone Modem
Mozilla Firefox (3.0.13)
mPfMgr
MSXML 4.0 SP2 (KB973688)
NetDeviceManager
OGA Notifier 2.0.0048.0
Olympus Digital Wave Player
Picasa 3
QuickTime
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Safari
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Slingbox Platform SDK 1.2.5.15
SlingPlayer
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WinFlash
.
==== End Of File ===========================

 

[Bobbye]

Is there some reason you keep running these programs? The preliminary scans were:
Malwarebytes> run once
DDS, logs for DDS.txt and Attach.txt> run once
GMER> run once

I had you clear the Java cache and run Combofix.
---------------------------------------
DDS.txt
1. DDS (Ver_2011-08-26.01) - NTFSx86>
Run by PKR4599 at 18:00:22 on 2011-09-02> Keep
2. DDS (Ver_2011-08-26.01) - NTFSx8>
Run by PKR4599 at 14:24:19 on 2011-08-31> Delete
3. DDS (Ver_2011-08-26.01) - NTFSx86
Run by PKR4599 at 18:00:22 on 2011-09-02>> Delete dup. posted twice

Attach.txt
1. DDS (Ver_2011-08-26.01)
Microsoft® Windows Vista™ Home Premium
System Uptime: 9/2/2011 11:49:39 AM (7 hours ago)> Keep
2. DDS (Ver_2011-08-26.01)
Microsoft® Windows Vista™ Home Premium
System Uptime: 8/31/2011 11:20:23 AM (3 hours ago)> Delete
3. DDS (Ver_2011-08-26.01)
System Uptime: 9/2/2011 11:49:39 AM (7 hours ago)> Delete dup- posted twice

Malwarebytes
1. mbam-log-2011-08-29 (23-27-45).txt> Keep original
2. mbam-log-2011-08-30 (01-33-01).txt> Delete
3. mbam-log-2011-09-02 (17-01-01).txt> Keep

GMER
1. GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-31 14:17:16> Delete
2. GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-09-02 17:23:53> Keep

Avira>>> none requested
1. Report file date: Monday, August 29, 2011 17:36> Delete
Avira AntiVir Personal
2. Report file date: Friday, September 02, 2011 14:26> Keep
---------------------------------------
Combofix has been run once. Please do not run it again.

You don't need me to help you if you're going to run scans over and over! I will clean up this thread tomorrow. It's my job to instruct you in what to run and when to run it.

Please do not run any more scan until I instruct you to. The time it's taking me to document all this is time I could be spending helping someone.

 

[pkr4599]

My bad... I thought when you said "All logs in next reply please" that you wanted me to do it.

It wont happen again! Thanks again for your help.

 

[Bobbye]

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"=-
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"=-
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"=-
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=-
DDS::
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
uURLSearchHooks: H - No File
mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
Driver::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Outdated programs:
1. Java: Current version loaded. uninstall all but Javav6u27
2. Adobe Reader 8.1.2: Current version loaded> uninstall
3. Adobe Reader 8.1.2 Security Update 1> uninstall
4. Mozilla Firefox (3.0.13): way out of date. Please update now.
5. Java in Firefox: Tools> Addons. remove v5u12, v6updates 14, 15,17, 18 :

 

[pkr4599]

cfscript log

ComboFix 11-09-08.03 - PKR4599 09/08/2011 15:08:29.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3063.1714 [GMT -4:00]
Running from: c:\users\PKR4599\Desktop\ComboFix.exe
Command switches used :: c:\users\PKR4599\Desktop\cfscript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\freecorder\FLVSrvc.exe
c:\program files\freecorder\tbFree.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 )))))))))))))))))))))))))))))))
.
.
2011-09-08 19:13 . 2011-09-08 19:13 -------- d-----w- c:\users\PKR4599\AppData\Local\temp
2011-09-08 19:13 . 2011-09-08 19:13 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-09-08 19:13 . 2011-09-08 19:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-30 03:09 . 2011-08-30 03:09 -------- d-----w- c:\users\PKR4599\AppData\Roaming\Malwarebytes
2011-08-30 03:09 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-30 03:09 . 2011-08-30 03:09 -------- d-----w- c:\programdata\Malwarebytes
2011-08-30 03:09 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-30 00:25 . 2011-09-02 16:10 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-08-30 00:25 . 2011-09-02 16:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-29 21:33 . 2011-08-29 21:33 -------- d-----w- c:\users\PKR4599\AppData\Roaming\Avira
2011-08-29 21:30 . 2011-07-21 16:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-29 21:30 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-29 21:30 . 2011-08-29 21:30 -------- d-----w- c:\programdata\Avira
2011-08-29 21:30 . 2011-08-29 21:30 -------- d-----w- c:\program files\Avira
2011-08-29 19:47 . 2011-08-30 00:06 -------- d-----w- c:\program files\PC Tools Security
2011-08-29 19:39 . 2011-08-29 21:10 -------- d-----w- c:\programdata\PC Tools
2011-08-26 14:52 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5EF5FD60-C260-46F0-9806-1CFB879118C5}\mpengine.dll
2011-08-24 18:30 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-17 16:33 . 2011-08-17 16:33 22032 ----a-w- c:\windows\DCEBoot.exe
2011-08-09 20:45 . 2011-06-17 16:03 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-09 20:45 . 2011-07-06 15:31 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-09 20:45 . 2011-06-06 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-08-09 20:45 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-09 20:45 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-09 20:45 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-09 21:52 . 2011-07-09 21:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-13 14:38 . 2011-06-13 14:38 161792 ----a-w- c:\windows\system32\msls31.dll
2011-06-13 14:38 . 2011-06-13 14:38 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-06-13 14:38 . 2011-06-13 14:38 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-06-13 14:38 . 2011-06-13 14:38 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-06-13 14:38 . 2011-06-13 14:38 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-06-13 14:38 . 2011-06-13 14:38 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-06-13 14:38 . 2011-06-13 14:38 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-06-13 14:38 . 2011-06-13 14:38 367104 ----a-w- c:\windows\system32\html.iec
2011-06-13 14:38 . 2011-06-13 14:38 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-13 14:38 . 2011-06-13 14:38 152064 ----a-w- c:\windows\system32\wextract.exe
2011-06-13 14:38 . 2011-06-13 14:38 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-06-13 14:38 . 2011-06-13 14:38 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-13 14:38 . 2011-06-13 14:38 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-06-13 14:38 . 2011-06-13 14:38 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-06-13 14:38 . 2011-06-13 14:38 11776 ----a-w- c:\windows\system32\mshta.exe
2011-06-13 14:38 . 2011-06-13 14:38 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-06-13 14:38 . 2011-06-13 14:38 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-06-13 14:38 . 2011-06-13 14:38 101888 ----a-w- c:\windows\system32\admparse.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-08 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 4702208]
"Skytel"="Skytel.exe" [2007-10-11 1826816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"Malwarebytes' Anti-Malware"="c:\users\PKR4599\Desktop\Anti VirusMalware\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
"Malwarebytes' Anti-Malware (reboot)"="c:\users\PKR4599\Desktop\Anti VirusMalware\Malwarebytes\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-11-10 18:13 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 11:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-22 09:31 630784 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-08 22:48 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-03-01 13:24 857648 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 135664]
R3 CapFilt;CapFilt; [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 135664]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
S2 MBAMService;MBAMService;c:\users\PKR4599\Desktop\Anti VirusMalware\Malwarebytes\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 SlingAgentService;SlingAgent Service;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2008-09-21 93960]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 21520]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 22:48]
.
2011-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 22:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 66.0.214.14 207.230.75.50
FF - ProfilePath - c:\users\PKR4599\AppData\Roaming\Mozilla\Firefox\Profiles\1pxn59ft.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-08 15:13
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-09-08 15:16:12
ComboFix-quarantined-files.txt 2011-09-08 19:15
ComboFix2.txt 2011-09-02 17:09
ComboFix3.txt 2009-06-11 21:16
.
Pre-Run: 58,036,322,304 bytes free
Post-Run: 58,824,716,288 bytes free
.
- - End Of File - - E94CB9AC3A2ACE5DB0A87325B1165F6A

 

[Bobbye]

Looks good> Let' take some processes off of startup:
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================.
I have removed the Registry entries that load the following> None of them need to start on boot. Please take the following processes off of the Start Menu:

reader_sl.exe
AdobeUpdater.exe
iTunesHelper.exe.
QTTask.exe
sm56hlpr.exe

Have the problems been resolved?

Almost forgot: Open Firefox> Tools> Addons> Plug-ins> remove java v6u12< u14, u15, u17, u18.

 

[pkr4599]

cfscript log #2

ComboFix 11-09-08.03 - PKR4599 09/11/2011 15:18:24.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3063.1959 [GMT -4:00]
Running from: c:\users\PKR4599\Desktop\ComboFix.exe
Command switches used :: c:\users\PKR4599\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-11 to 2011-09-11 )))))))))))))))))))))))))))))))
.
.
2011-09-11 19:24 . 2011-09-11 19:24 -------- d-----w- c:\users\PKR4599\AppData\Local\temp
2011-09-11 19:24 . 2011-09-11 19:24 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-09-11 19:24 . 2011-09-11 19:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-30 03:09 . 2011-08-30 03:09 -------- d-----w- c:\users\PKR4599\AppData\Roaming\Malwarebytes
2011-08-30 03:09 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-30 03:09 . 2011-08-30 03:09 -------- d-----w- c:\programdata\Malwarebytes
2011-08-30 03:09 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-30 00:25 . 2011-09-02 16:10 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-08-30 00:25 . 2011-09-02 16:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-29 21:33 . 2011-08-29 21:33 -------- d-----w- c:\users\PKR4599\AppData\Roaming\Avira
2011-08-29 21:30 . 2011-07-21 16:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-29 21:30 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-29 21:30 . 2011-08-29 21:30 -------- d-----w- c:\programdata\Avira
2011-08-29 21:30 . 2011-08-29 21:30 -------- d-----w- c:\program files\Avira
2011-08-29 19:47 . 2011-08-30 00:06 -------- d-----w- c:\program files\PC Tools Security
2011-08-29 19:39 . 2011-08-29 21:10 -------- d-----w- c:\programdata\PC Tools
2011-08-26 14:52 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5EF5FD60-C260-46F0-9806-1CFB879118C5}\mpengine.dll
2011-08-24 18:30 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-17 16:33 . 2011-08-17 16:33 22032 ----a-w- c:\windows\DCEBoot.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-22 02:54 . 2011-08-10 07:09 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48 . 2011-08-10 07:09 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44 . 2011-08-10 07:09 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-09 21:52 . 2011-07-09 21:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 15:31 . 2011-08-09 20:45 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-20 08:54 . 2011-08-09 20:45 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-20 08:54 . 2011-08-09 20:45 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-17 20:13 . 2011-08-09 20:45 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-17 16:03 . 2011-08-09 20:45 375808 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-08 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 4702208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\users\PKR4599\Desktop\Anti VirusMalware\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
"Malwarebytes' Anti-Malware (reboot)"="c:\users\PKR4599\Desktop\Anti VirusMalware\Malwarebytes\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 11:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-10-11 03:04 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-22 09:31 630784 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-08 22:48 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-03-01 13:24 857648 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-05-31 14:21 648072 ----a-w- c:\windows\WindowsMobile\wmdcBase.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 135664]
R3 CapFilt;CapFilt; [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 135664]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
S2 MBAMService;MBAMService;c:\users\PKR4599\Desktop\Anti VirusMalware\Malwarebytes\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 SlingAgentService;SlingAgent Service;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2008-09-21 93960]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 21520]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 22:48]
.
2011-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 22:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-11 15:24
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-09-11 15:26:56
ComboFix-quarantined-files.txt 2011-09-11 19:26
ComboFix2.txt 2011-09-08 19:16
ComboFix3.txt 2011-09-02 17:09
ComboFix4.txt 2009-06-11 21:16
.
Pre-Run: 59,670,884,352 bytes free
Post-Run: 59,641,339,904 bytes free
.
- - End Of File - - C6ED62D86F91E84B2C65002E48E28854

 

[pkr4599]

answer/question

I have totally removed firefox... Will that take care of the JAVA update problem?

Also, I do not know how to take those programs off the start menu... Please advise.

 

[Bobbye]

If you weren't using Firefox< the uninstall was fine. But to do that just to remove outdated Java is overkill.!

How to use MSCONFIG in Windows Vista

1. Click on the Vista start icon
   
   in the bottom left corner of your screen.
2. Type MSCONFIG> press enter
3. Vista asks permission to use this account:
   
   
4. Follow the on-screen prompts to give Vista permission to continue.
5. When finished with UAC, Microsoft's System Configuration Utility will display
   
   
   
   Note: change from image> check Selective Startup
6. Click on the Startup tab.
7. Vista loads essential programs through "Windows Services" so what you see here are optional.
8. Check the box for each process that you do not want to start on boot
   You can safely check the following:
   

   reader_sl.exe
   AdobeUpdater.exe
   iTunesHelper.exe.
   QTTask.exe
   sm56hlpr.exe

9. Click on OK
10. If this box displays, click the box by message 'dons how this message again', then click Restart:

All images courtesy netsquirrel.com

You may get a nag message the first time you reboot again. If so, check not to show again. Stay in Selective Startup to keep changes