Inactive Possible malware.. dll player win 32

[irfhanif]

Hi
got a call from hsbc yesterday saying somebody tried but were unsuccessful in accesing my account. ran avg scan and found something called dll player running under win32..
here are the logs:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7432

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/11/2011 9:39:45 AM
mbam-log-2011-08-11 (09-39-45).txt

Scan type: Quick scan
Objects scanned: 176521
Time elapsed: 10 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\administrator\my documents\downloads\xvidsetup (1).exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\my documents\downloads\xvidsetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.

 

[irfhanif]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-11 10:21:43
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port0Path0Target0Lun0 ST332041 rev.HP35
Running: frygbfdj.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uftdapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 10:24:14 on 2011-08-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.933 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Gemalto\GAC\GACService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Gemalto\Classic Client\BIN\GslShmSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Gemalto\Classic Client\BIN\GCardSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\windows\system32\notepad.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.bing.com
uSearch Bar = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

 

[irfhanif]

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/5/2010 9:16:49 PM
System Uptime: 8/11/2011 9:45:52 AM (1 hours ago)
.
Motherboard: PEGATRON CORPORATION | | 2A9Eh
Processor: AMD Athlon(tm) II X2 215 Processor | CPU 1 | 2700/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 294 GiB total, 270.787 GiB free.
D: is FIXED (NTFS) - 5 GiB total, 0.402 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Photosmart C309a series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: C309a,192.168.1.69
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C309a series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C309a series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
RP125: 5/10/2011 11:13:37 PM - System Checkpoint
RP126: 5/11/2011 11:01:05 PM - Software Distribution Service 3.0
RP127: 5/16/2011 12:23:43 AM - System Checkpoint
RP128: 5/17/2011 9:24:45 AM - System Checkpoint
RP129: 5/25/2011 8:37:17 AM - System Checkpoint
RP130: 5/26/2011 11:16:17 PM - System Checkpoint
RP131: 5/27/2011 11:33:29 PM - System Checkpoint
RP132: 5/29/2011 1:57:52 PM - System Checkpoint
RP133: 5/30/2011 10:24:55 PM - System Checkpoint
RP134: 6/2/2011 3:41:53 PM - System Checkpoint
RP135: 6/5/2011 12:21:28 PM - System Checkpoint
RP136: 6/6/2011 12:27:06 PM - System Checkpoint
RP137: 6/8/2011 1:00:58 AM - System Checkpoint
RP138: 6/8/2011 10:59:32 PM - Software Distribution Service 3.0
RP139: 6/10/2011 11:31:40 PM - System Checkpoint
RP140: 6/12/2011 11:14:12 PM - System Checkpoint
RP141: 6/13/2011 11:34:49 PM - System Checkpoint
RP142: 6/16/2011 11:37:10 PM - Software Distribution Service 3.0
RP143: 6/18/2011 3:18:01 AM - System Checkpoint
RP144: 6/18/2011 11:01:23 PM - Software Distribution Service 3.0
RP145: 6/19/2011 11:13:14 PM - System Checkpoint
RP146: 6/20/2011 11:55:12 PM - System Checkpoint
RP147: 6/24/2011 12:00:46 PM - Installed WinZip 15.5
RP148: 6/26/2011 11:12:50 PM - System Checkpoint
RP149: 6/28/2011 1:37:57 AM - System Checkpoint
RP150: 6/28/2011 11:04:29 PM - Software Distribution Service 3.0
RP151: 6/30/2011 8:49:21 AM - System Checkpoint
RP152: 7/2/2011 10:33:00 AM - System Checkpoint
RP153: 7/4/2011 2:41:41 PM - System Checkpoint
RP154: 7/7/2011 9:15:02 AM - System Checkpoint
RP155: 7/10/2011 2:42:23 PM - System Checkpoint
RP156: 7/12/2011 10:58:45 PM - System Checkpoint
RP157: 7/13/2011 11:17:58 PM - Software Distribution Service 3.0
RP158: 7/16/2011 4:19:14 PM - System Checkpoint
RP159: 7/24/2011 2:16:40 AM - System Checkpoint
RP160: 7/31/2011 4:24:08 PM - System Checkpoint
RP161: 8/7/2011 1:25:22 PM - System Checkpoint
RP162: 8/9/2011 8:57:03 AM - System Checkpoint
RP163: 8/10/2011 11:31:02 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
3Connect
Activation Assistant for the 2007 Microsoft Office suites
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Download Manager
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AVG 2011
Brother HL-5350DN
BufferChm
C309a
Center Manager System
Cisco Systems VPN Client 5.0.04.0300
Classic Client 5.1.7 for NHS
Definition update for Microsoft Office 2010 (KB982726)
Destinations
DeviceDiscovery
DocProc
Fax
GemAuthenticate Client v5.2.7.1
Google Chrome
GPBaseService2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952117-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB958756)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 13.0
HP Help and Support
HP Imaging Device Functions 13.0
HP Photosmart C309a All-In-One Driver Software 13.0 Rel .5
HP Photosmart Essential 3.5
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotosmartEssential
HPProductAssistant
HPSSupply
InterVideo WinDVD 8
Java Auto Updater
Java(TM) 6 Update 24
Malwarebytes' Anti-Malware version 1.51.1.1800
MarketResearch
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 14
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Network
NHS Identity Agent v11.02.00a
Norton Online Backup
NVIDIA Drivers
OCR Software by I.R.I.S. 13.0
OGA Notifier 2.0.0048.0
OMNIKEY 5x21, 5x25 PC/SC Driver
OMNIKEY CardMan 3x21 PC/SC Driver
PDF Complete Special Edition
PDF Settings
Player
PS_AIO_05_C309_Software_Min
Realtek High Definition Audio Driver
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Excel 2010 (KB2523021)
Security Update for Microsoft InfoPath 2010 (KB2510065)
Security Update for Microsoft Office 2010 (KB2289078)
Security Update for Microsoft Office 2010 (KB2289161)
Security Update for Microsoft PowerPoint 2010 (KB2519975)
Security Update for Microsoft Publisher 2010 (KB2409055)
Security Update for Microsoft Word 2010 (KB2345000)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Shop for HP Supplies
SmartWebPrinting
SolutionCenter
Status
Super NetSurveillance
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft Office 2010 (KB2413186)
Update for Microsoft Office 2010 (KB2523113)
Update for Microsoft OneNote 2010 (KB2493983)
Update for Microsoft Outlook Social Connector (KB2441641)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
WinCOS
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Live Essentials
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Upload Tool
WinZip 15.5
Yahoo! Toolbar
ZTE_1.2059.0.8
.
==== Event Viewer Messages From Past Week ========
.
8/7/2011 11:39:15 AM, error: Service Control Manager [7034] - The GemSAFE Card Server service terminated unexpectedly. It has done this 1 time(s).
8/4/2011 8:12:09 AM, error: SCardSvr [610] - Smart Card Reader 'OMNIKEY CardMan 3x21 0' rejected IOCTL TRANSMIT: The semaphore timeout period has expired.
8/4/2011 8:12:09 AM, error: cxbu0wdm [0] - Callback function of \Device\VID_076B&PID_3021_000 did not succeed. IOCTL TRANSMIT failed with status 0x.
8/11/2011 9:47:06 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atapi
.
==== End Of File ===========================

 

[Bobbye]

Welcome to TechSpot! I'll help with the malware problem but would like to clarify some things

1. :Re: hsbc account: Are you referring to HSBC Bank USA, N.A.?
2. There is a media player with name Player. DLL
3. I can't make anything out of Win 32 or the player.dll. Did the bank give you any indication of the type of attack? Is there reason they suspect it came from your computer, not the internet?

I can have you run scans and they may find malware- but it may not be responsible for the attempted hack. It's not likely that a media player would try to crack into a bank account!
====================================================
You will temporarily have to uninstall AVG as Combofix won't run with it on the system. After it's removed, please select one of the temporary AV programs:
Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=========================================

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=======================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

 

[irfhanif]

win32 player

sorry for the confusion.. i meant that my bank hsbc uk got in contact with me saying that there had been an attempt to authorise payment from apple store. i have run avg and the only threat that came up was the player.dll. and the malware scan came up with two threats that have been quarantined and delted

 

[Bobbye]

It there some reason why you didn't paste in the full DDS.txt log? This is the lst entry but there are more categories missing.
BHOJQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

The Attach.txt log is okay. I'd like to have the full DDS.txt log.
=====================================
This may be what the bank was referring to:
Apple QuickTime Player DLL Hijacking:
http://packetstormsecurity.org/files/93764/Apple-QuickTime-Player-DLL-Hijacking.html
Apple QuickTime Player version 7.64.17.73 suffers from an insecure DLL hijacking vulnerability.

Please refer to the site and see if any of these considerations refer to your system. Without the full log, I cannot tell if you have any QuickTime processes running, iTunes or Apple..
=======================================
Please be advised of this: the malware entries in Mbam were found on download xvidsetup.exe. This is aSpywaerw.Password.XGen Since your bank is involved, I strongly advise you to change all of your passwords and closely monitor any online financial transactions.
=======================================
Please post the logs from Combofix and Eset when ready.

The attempted hack could have come from the internet. I will know more when I see the logs.

 

[irfhanif]

HERE IS DDS LOG

DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 10:24:14 on 2011-08-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.933 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Gemalto\GAC\GACService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Gemalto\Classic Client\BIN\GslShmSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Gemalto\Classic Client\BIN\GCardSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\windows\system32\notepad.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.bing.com
uSearch Bar = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NortonOnlineBackupReminder] "c:\program files\symantec\norton online backup\activation\NobuActivation.exe" UNATTENDED
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [GACService] c:\program files\gemalto\gac\GACService.exe
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: S&end to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: pharmasysuk.com\v3
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
Trusted Zone: nhs.uk\cms.national.ncrs
Trusted Zone: nhs.uk\nww.ebs.ncrs
Trusted Zone: nhs.uk\portal.national.ncrs
Trusted Zone: nhs.uk\portal2.national.ncrs
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://v3.pharmasysuk.com/pharmasysv1/smsx.cab
DPF: {3FB84210-0311-49BA-AFF7-A2C50E2D20B6} - hxxp://192.168.1.69/web.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{D8540D9C-DB2C-4C37-AA73-4D140415D022} : DhcpNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
Hosts: 84.45.28.97 gas.national.ncrs.nhs.uk
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 297168]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-25 214024]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2010-12-7 1737464]
R2 GslShmSrvc ;GSL Share Memory;c:\program files\gemalto\classic client\bin\GslShmSrvc.exe [2007-10-19 57344]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2010-5-25 635416]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
R3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [2010-8-6 97792]
S2 GemSAFE Card Server;GemSAFE Card Server;c:\program files\gemalto\classic client\bin\GCardSrvNT.exe [2008-4-14 118784]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-12-7 9216]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-11 41272]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2010-5-25 79816]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2010-5-25 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2010-5-25 34248]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-4-14 14336]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 10:24:50.20 ===============

 

[irfhanif]

COMBO FIX

ComboFix 11-08-13.01 - Administrator 08/13/2011 12:36:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1159 [GMT 1:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-13 to 2011-08-13 )))))))))))))))))))))))))))))))
.
.
2011-08-13 11:11 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-13 11:11 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-13 11:11 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-13 11:11 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-13 11:11 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-13 11:11 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-08-13 11:11 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-08-13 11:11 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-13 11:09 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-13 11:09 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-13 11:09 . 2011-08-13 11:09 -------- d-----w- c:\program files\AVAST Software
2011-08-13 11:09 . 2011-08-13 11:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-08-11 08:16 . 2011-08-11 08:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-08-11 08:16 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-11 08:15 . 2011-08-11 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-11 08:15 . 2011-08-11 08:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-11 08:15 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-10 08:05 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 08:05 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-01 11:52 . 2011-08-10 10:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\WinZip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2008-04-14 09:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-14 09:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2008-04-14 09:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2008-04-14 09:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2008-04-14 09:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2008-04-14 09:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2008-04-14 09:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-04-14 09:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2008-04-14 09:00 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2009-07-08 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-08 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-08 13762560]
"RTHDCPL"="RTHDCPL.EXE" [2009-10-16 18782720]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-06-29 600936]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2009-06-18 563736]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"GACService"="c:\program files\Gemalto\GAC\GACService.exe" [2008-07-25 1597531]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-12-08 1086776]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2010-8-6 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-4-15 610120]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/13/2011 12:11 PM 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/13/2011 12:11 PM 19544]
R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [12/7/2010 4:16 PM 1737464]
R2 GslShmSrvc ;GSL Share Memory;c:\program files\Gemalto\Classic Client\BIN\GslShmSrvc.exe [10/19/2007 4:09 PM 57344]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [5/25/2010 8:26 PM 635416]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/18/2007 4:09 AM 11032]
R3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [8/6/2010 9:56 AM 97792]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/13/2011 12:11 PM 441176]
S2 GemSAFE Card Server;GemSAFE Card Server;c:\program files\Gemalto\Classic Client\BIN\GCardSrvNT.exe [4/14/2008 2:23 PM 118784]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [12/7/2010 4:16 PM 9216]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 11:25 AM 30969208]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 10:00 AM 14336]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AAVMKER4
*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMON2
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - AVAST!_ANTIVIRUS
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1154361124-2300220328-3701590245-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-05 19:31]
.
2011-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1154361124-2300220328-3701590245-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-05 19:31]
.
2011-08-13 c:\windows\Tasks\User_Feed_Synchronization-{0E99CC20-AB0A-4EC9-9C68-346D23994AFF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: S&end to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: pharmasysuk.com\v3
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
Trusted Zone: nhs.uk\cms.national.ncrs
Trusted Zone: nhs.uk\nww.ebs.ncrs
Trusted Zone: nhs.uk\portal.national.ncrs
Trusted Zone: nhs.uk\portal2.national.ncrs
TCP: DhcpNameServer = 192.168.1.254
DPF: {3FB84210-0311-49BA-AFF7-A2C50E2D20B6} - hxxp://192.168.1.69/web.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-13 12:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1154361124-2300220328-3701590245-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,a2,11,5f,00,6e,88,4e,b9,f4,87,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,a2,11,5f,00,6e,88,4e,b9,f4,87,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1024)
c:\program files\Gemalto\Classic Client\BIN\GSafeCSP.dll
c:\program files\Gemalto\Common\Resources\LocHub.dll
c:\program files\Gemalto\Classic Client\BIN\GUICore.dll
c:\program files\Gemalto\Classic Client\BIN\GCLIB.DLL
c:\program files\Gemalto\Classic Client\BIN\gck2014x.DLL
c:\program files\Gemalto\Classic Client\BIN\pk2GemID.dll
c:\program files\Gemalto\Classic Client\BIN\pk2GPK16.dll
.
- - - - - - - > 'explorer.exe'(3476)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-08-13 12:44:15
ComboFix-quarantined-files.txt 2011-08-13 11:44
.
Pre-Run: 291,225,387,008 bytes free
Post-Run: 292,392,656,896 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 00FDCE7F9E080BEF6751C933AED438AE

 

[irfhanif]

esets

C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\40\63dde168-55376f12 a variant of Java/Rowindal.A trojan
C:\pharmaSys\Flash Player\installer_adobe_flash_player_(ie_&_aol)_10_0_22_87_English.exe Win32/Hoax.ArchSMS.KC application

 

[Bobbye]

You didn't place all of these in the Trusted Zone, did you? This is a very curious assortment! Nothing needs to be in the Trusted Zone. The security is lower in that zone and so presents a vulnerability to the system. I'd like some comment from you on this before I have you zap them all out!

The fist domain is also as malware entry in Eset- I added a description of what it is.

Trusted Zone: pharmasysuk.com\v3 (pharmaSys is a unique, web based pharmacy management system.)
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
Trusted Zone: nhs.uk\cms.national.ncrs
Trusted Zone: nhs.uk\nww.ebs.ncrs
Trusted Zone: nhs.uk\portal.national.ncrs
Trusted Zone: nhs.uk\portal2.national.ncrs

============================================
You need to empty the Java cache for malware:
To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel.
  
  The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  
  
  
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com
=======================================
For other Eset entry:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files  
  C:\pharmaSys\Flash Player\installer_adobe_flash_player_(ie_&_aol)_10_0_22_87_English.exe
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
============================================
Note the name of the infected file in Eset:
C:\pharmaSys\Flash Player\installer_adobe_flash_player_(ie_&_aol)_10_0_22_87_English.exe
I wonder if this could have anything to do with the bank hack.

 

[irfhanif]

sorry i dont get what you mean by trusted system???

 

[Bobbye]

Sorry- missed your thread. Thank you for your patience. If you don't know what I'm referring to about the Trusted sites, the you didn't put them there:

We'll remove all of them and then get good host files back:

Please downloadDelDomains and unzip it to your desktop. Do not run it yet.

• Close all open browsers
• Right click on deldomains.infand select Install.

Note: Note: this will remove all entries in the Trusted Zone and Restricted Zone.
====================================
Can you tell me about the use of this program: Gemalto\Classic Client They are all running under the logon and are all bin files:

- - - - - - - > 'winlogon.exe'(1024)
c:\program files\Gemalto\Classic Client\BIN\GSafeCSP.dll
c:\program files\Gemalto\Common\Resources\LocHub.dll
c:\program files\Gemalto\Classic Client\BIN\GUICore.dll
c:\program files\Gemalto\Classic Client\BIN\GCLIB.DLL
c:\program files\Gemalto\Classic Client\BIN\gck2014x.DLL
c:\program files\Gemalto\Classic Client\BIN\pk2GemID.dll
c:\program files\Gemalto\Classic Client\BIN\pk2GPK16.dll