Inactive Unable to install Java, infected files in AVG Virus Vault

[greenly]

Hi,

I have a virus which I think is preventing me from installing Java. I don't know what my next step from here is and would be grateful to anyone willing to help.

I have attached a few screen shots.

The first one pops up after I try installing Java.
The second shows the my AVG Virus Vault.

Also I don't see the "AppData" file anywhere on my hard drive, is this because its in the virus vault?

Does anyone have any recommendations how I can solve this problem and install Java?

Thank you,

greenly

 

[Bobbye]

Thanks you for the images and Welcome to TechSpot. Let try and resolve this:

First:
Click on Start> Control Panel> Java> Temporary internet files> Settings> Delete all these files> Close Java.
This should clear the exploit.

Second:
The Windows Installer appears to be damaged. That probably means your connection to download the Java 6u21 installer was broken before the download could finish.

Delete the indicated MSI file and the installer you downloaded, if any; clear your browser's cache; then re-download the installer. See if that fixes your problem.

Easiest way to clear the browser cache is to run TFC:

TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Empty the Recycle Bin

FYI: "AppData" just means 'application data'> it's not specific.

See if you can update after the above. Try the update again> be sure to reboot the computer when finished above, before attempting the update again. The check the virus vault and see if the entry is still there- if it is, delete it.

Let me know your status at this point.

 

[greenly]

Hi Bobbye and thank you for responding.

First:
Click on Start> Control Panel> Java> Temporary internet files> Settings> Delete all these files> Close Java.
This should clear the exploit.

This I think seems to be part of the problem because when I go to Control Panel>Java nothing pops up. There is a link there but when I click nothing happens, it won't open.

Since I can't click on Java, will going to "Internet Properties" and then deleting all "Temp. Internet Files" do the same thing you described in terms of clearing the exploit? -------(see my attached screen shot "1")

Second:
The Windows Installer appears to be damaged. That probably means your connection to download the Java 6u21 installer was broken before the download could finish.

Delete the indicated MSI file and the installer you downloaded, if any; clear your browser's cache; then re-download the installer. See if that fixes your problem.

I am sorry maybe its stupid question but where can I find the MSI file so I can delete it? I searched the whole hard drive and only found a folder called
"jre1.6.0_21", which only contains some .jpg file. Is this the folder I am supposed to delete?

Do you thing maybe the MIS file (jre1.6.0_21-pfrom20.msi) is in the AVG Virus Vault and that is why I cant find it and delete it? Maybe if I clear out the virus vault that would also delete the file?

I also ran TFC and rebooted my computer, downloaded the installer, but still the same thing happens as described in my first post. (see attachment "java 1" in first post)

Thank you again and Bobbye

greenly

 

[Bobbye]

Unfortunately, the Java cache is separate and has to be emptied separately. There is an exploit in it. Strange that AVG won't let you delete it.

You have a new installer-msi-right? I'd like you to check and see what you have on the system, but using Windows Explorer:
Windows key + E> My Computer> Double click on Local Drive (C)> Program> look for Java and double click to open. Look on the right screen and let me know what's there. If it's jre6, double click on that and tell me what's there. We need to find out why it isn't displaying in the Control Panel.

I'd like you to go ahead and run the following. Do the Eset scan first:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Then run our preliminary scanning programs. Please paste all of the logs in, even if you need to use multiple posts. When you open Notebook for the logs, click on Format and uncheck Word Wrap if it's checked:

Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[greenly]

You have a new installer-msi-right? I'd like you to check and see what you have on the system, but using Windows Explorer:
Windows key + E> My Computer> Double click on Local Drive (C)> Program> look for Java and double click to open. Look on the right screen and let me know what's there. If it's jre6, double click on that and tell me what's there. We need to find out why it isn't displaying in the Control Panel.

I am doing the scan right now and its taking some some so I thought I could post some questions.

You asked if I have a new "installer-msi" --------is this the file used to launch the Java download? I am not sure what "installler-msi" is, sorry about that.

Also in the Java folder in Programs I do have a folder called "jre6" (I took a screen shot of what is in it, see attachment)

One more thing, yesterday I emptied my AVG Virus Vault thinking if those files are deleted maybe it'll work but still nothing.

The Eset scan is at 49% and as soon as its done I will post the results here.

 

[greenly]

The Eset scan is finished. Everything is clear. No infections were found.

There is nothing really in the log file but I have attached it anyway.

 

[greenly]

Malwarebytes Anti-Malware

I just finished a Quick Scan using Malwarebytes Anti-Malware and it says everything is clean.

Here is the log

 

[greenly]

Gmer

I downloaded the setup file for GMER and started the scan. Suddenly the scan stopped working and a window popped up saying there is problem and it has to close. After that I got a blue screen with some numbers and 2 seconds later the computer shut down. I got back on in safe mode, deleted GMER, restarted and here I am now typing this.

Since GMER can not work with windows 7 64-bit maybe its also having some problems with my Windows 7 32-bit. I will skip GMER becuase it seems its not agreeing with my computer (I am afraid it can cause bigger problems)

 

[greenly]

DDS

Here are the two files that came up after I ran DDS

It said to put them in a zip folder so I did

 

[Bobbye]

No, it didn't say to put them in a zip folder. It said to zip the Attach.txt log. You do not need to leave images unless I request one or unless there is no other way to make the point.

These logs do not appear to have been run in 64 bit so run this in 32 bit:.

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply. You can use more than one post if needed.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

 

[greenly]

Combofix log

ComboFix 10-09-24.03 - 252468 09/24/2010 18:10:43.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3003.1744 [GMT -5:00]
Running from: c:\users\252468\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Search Settings
c:\program files\Search Settings\kb128\SeARchsettings.dll
c:\program files\Search Settings\kb128\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\users\252468\g2mdlhlpx.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))
.

2010-09-24 23:08 . 2010-09-24 23:09 -------- d-----w- C:\32788R22FWJFW
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\users\252468\AppData\Roaming\Malwarebytes
2010-09-24 03:09 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\programdata\Malwarebytes
2010-09-24 03:09 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-24 01:37 . 2010-09-24 01:37 -------- d-----w- c:\program files\ESET
2010-09-23 16:59 . 2010-09-23 16:59 1377632 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
2010-09-23 16:59 . 2010-09-23 16:59 942432 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-09-23 16:59 . 2010-09-23 16:59 598368 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-09-23 16:59 . 2010-09-23 16:59 4371296 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-09-23 16:59 . 2010-09-23 16:59 300896 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-09-23 16:58 . 2010-09-23 16:58 1690952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-09-20 14:56 . 2010-09-20 14:56 -------- d-----w- c:\users\252468\New folder
2010-09-15 16:29 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-02 00:01 . 2010-09-02 00:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\users\252468\AppData\Roaming\DVDVideoSoftIEHelpers
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\program files\DVDVideoSoft
2010-08-29 20:44 . 2009-10-05 14:31 1221632 ----a-w- c:\windows\system32\drivers\athr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-20 15:08 . 2009-04-22 15:14 -------- d-----w- c:\program files\Java
2010-09-20 15:08 . 2009-04-22 15:14 -------- d-----w- c:\program files\Common Files\Java
2010-09-20 15:07 . 2010-07-19 21:09 -------- d-----w- c:\users\252468\AppData\Roaming\IrfanView
2010-09-17 00:41 . 2010-08-18 00:35 -------- d-----w- c:\program files\Dl_cats
2010-09-15 21:52 . 2009-04-22 14:57 -------- d-----w- c:\programdata\Microsoft Help
2010-09-03 12:41 . 2009-04-22 15:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-29 20:44 . 2009-06-01 18:45 -------- d-----w- c:\program files\Atheros
2010-08-18 19:16 . 2010-08-18 19:16 -------- d-----w- c:\program files\BitZipper
2010-08-18 19:16 . 2010-08-18 19:16 -------- d-----w- c:\users\252468\AppData\Roaming\BitZipper
2010-08-18 00:35 . 2010-08-18 00:35 -------- d-----w- c:\program files\Dell AIO Printer 946
2010-08-11 23:06 . 2009-04-22 14:45 -------- d-----w- c:\program files\Microsoft Works
2010-08-11 22:02 . 2010-08-11 22:02 -------- d-----w- c:\users\Guest\AppData\Roaming\Apple Computer
2010-08-04 22:53 . 2010-08-04 22:53 -------- d-----w- c:\program files\Veoh Networks
2010-07-31 01:49 . 2010-07-31 01:24 -------- d-----w- c:\users\252468\AppData\Roaming\vlc
2010-07-31 01:24 . 2010-07-31 01:24 -------- d-----w- c:\program files\VideoLAN
2010-07-29 06:30 . 2010-08-11 16:22 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 16:22 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-18 22:37 . 2010-07-18 22:37 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-07-16 22:18 . 2010-07-16 22:18 98304 ----a-w- c:\programdata\WebEx\WebEx\500\webexrcd\atplayim.dll
2010-07-16 22:18 . 2010-07-16 22:18 5702 ----a-w- c:\programdata\WebEx\WebEx\500\atkbctl.dll
2010-07-16 22:18 . 2010-07-16 22:18 24576 ----a-w- c:\programdata\WebEx\WebEx\500\atmemmgr.dll
2010-07-15 20:25 . 2009-10-12 00:27 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 20:25 . 2010-07-15 20:25 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 20:24 . 2009-10-12 00:27 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 06:25 . 2010-08-11 16:22 978432 ----a-w- c:\windows\system32\wininet.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 51712]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"DLCICATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCItime.dll" [2006-10-20 73728]
"dlcimon.exe"="c:\program files\Dell AIO Printer 946\dlcimon.exe" [2007-01-12 435696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\users\252468\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ScreenHunter 5.1 Free.lnk - c:\program files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe [2009-12-26 5689344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 PAC207;Webcam 1200;c:\windows\system32\DRIVERS\PFC027.SYS [2007-06-29 611584]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-02 1343400]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-15 216400]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-15 243024]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-20 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
S2 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe [2006-12-08 537480]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\HPCeeScheduleFor252468.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\users\252468\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
FF - ProfilePath - c:\users\252468\AppData\Roaming\Mozilla\Firefox\Profiles\kl5qu4jw.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=616163&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\252468\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
AddRemove-Adobe Acrobat Connect Add-in - c:\users\252468\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectaddin.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-09-24 18:18:14
ComboFix-quarantined-files.txt 2010-09-24 23:18

Pre-Run: 228,556,029,952 bytes free
Post-Run: 228,461,342,720 bytes free

- - End Of File - - EEE95533AA227E63FA5F64FEB0F60A89

 

[Bobbye]

Please check the Combofix logs on your desktop. It looks like part of the heading-which would include the status of the AV and FW, plus a section at the end after the locked Registry files is missing. If you need a second post to paste it all in, it's okay.

 

[greenly]

Hi Bobbye,

I just checked the log and everything is the same as in my post. Maybe something went wrong with the scan----should I scan again?

Also, I only have one log log for combofix----is there supposed to be more?


Edit:

I have attached an image of what happens when I try clicking on the java link in the contol panel. Some pop up window shows up for half a second and then automaticly closes. I don't know what that is.

 

[Bobbye]

There is only one log for Combofix. There are 2 logs in DDS: DDS.txt and Attach.txt.
Okay, you did a great job with the images, but they really aren't helping me. The new above is a double exposure of a black DOS screen over a Firefox Google search page>>> no, don't do it again!

Have you been able to delete the entry in the Virus Vault? Have you tried again? I'm moving some hidden Java related files in Firefo. That might help. Try removing any Java entries in Add/Remove Programs in the Control Panel. Then go to and see if the current Java will download. Check this site Java Updates
==================================
Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\programdata\ezsidmv.dat
DirLook::
c:\users\252468\New folder
Extra::
File::
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
Firefox::
Firefox-: - Profile - c:\users\252468\appdata\roaming\mozilla\firefox\profiles\kl5qu4jw.default\

DDS::
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=- 
"ConsentPromptBehaviorUser"=- 

Driver:

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================

 

[greenly]

Hi Bobbye,

I deleted all the files in my AVG Virus Vault and went to update java. Everything worked perfectly now. The java link now works and it opens to the Java Control Panel without any problems.

Do you still want me to run your Custom CFScript provided in your previous post?

Also, I would like a quick recommendation on something unrelated. If that is OK, can I ask here, should I pm you, or open another thread?

Thank you for all the help,

greenly

 

[Bobbye]

You're welcome. Yes, go ahead and run the script.
Be sure you go into Java in the Control Panel now and delete any temporary internet files. Run the script first.

Let's make sure there aren't any bad entries left:

Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[greenly]

new combofix log with CFScript

ComboFix 10-09-26.04 - 252468 09/27/2010 11:33:27.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3003.2105 [GMT -5:00]
Running from: c:\users\252468\Desktop\ComboFix.exe
Command switches used :: c:\users\252468\Desktop\CFScript.txt

FILE ::
"c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}"
"c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}"
"c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}"
"c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}"
"c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}"
"c:\programdata\ezsidmv.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\ezsidmv.dat
c:\users\252468\AppData\Local\Temp\C919.tmp

.
((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 )))))))))))))))))))))))))))))))
.

2010-09-27 16:38 . 2010-09-27 16:38 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-27 16:38 . 2010-09-27 16:38 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-09-27 16:38 . 2010-09-27 16:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-27 16:30 . 2010-09-27 16:31 -------- d-----w- C:\32788R22FWJFW
2010-09-27 00:30 . 2010-09-27 00:30 61440 ----a-w- c:\programdata\WebEx\WebEx\500\libfaac.dll
2010-09-27 00:30 . 2010-09-27 00:30 237568 ----a-w- c:\programdata\WebEx\WebEx\500\mpeg4convert.dll
2010-09-26 23:42 . 2010-09-26 23:42 -------- d-----w- c:\windows\Sun
2010-09-26 23:42 . 2010-09-26 23:42 -------- d-----w- c:\program files\Common Files\Java
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\users\252468\AppData\Roaming\Malwarebytes
2010-09-24 03:09 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\programdata\Malwarebytes
2010-09-24 03:09 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-24 01:37 . 2010-09-24 01:37 -------- d-----w- c:\program files\ESET
2010-09-23 16:59 . 2010-09-23 16:59 1377632 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
2010-09-23 16:59 . 2010-09-23 16:59 942432 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-09-23 16:59 . 2010-09-23 16:59 598368 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-09-23 16:59 . 2010-09-23 16:59 4371296 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-09-23 16:59 . 2010-09-23 16:59 300896 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-09-23 16:58 . 2010-09-23 16:58 1690952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-09-20 14:56 . 2010-09-20 14:56 -------- d-----w- c:\users\252468\New folder
2010-09-15 16:29 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-02 00:01 . 2010-09-02 00:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\users\252468\AppData\Roaming\DVDVideoSoftIEHelpers
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\program files\DVDVideoSoft
2010-08-29 20:44 . 2009-10-05 14:31 1221632 ----a-w- c:\windows\system32\drivers\athr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-27 00:30 . 2010-07-16 22:17 2084864 ----a-w- c:\programdata\WebEx\WebEx\500\atpdmod.dll
2010-09-27 00:30 . 2010-07-16 22:17 188416 ----a-w- c:\programdata\WebEx\WebEx\500\nbrres.dll
2010-09-27 00:30 . 2010-07-16 22:17 118856 ----a-w- c:\programdata\WebEx\WebEx\500\atas32.dll
2010-09-27 00:30 . 2010-07-16 22:17 331776 ----a-w- c:\programdata\WebEx\WebEx\500\nbrpd.dll
2010-09-27 00:30 . 2010-07-16 22:17 396680 ----a-w- c:\programdata\WebEx\WebEx\500\atasctrl.dll
2010-09-27 00:30 . 2010-07-16 22:17 623928 ----a-w- c:\programdata\WebEx\WebEx\500\nbrpfw.dll
2010-09-26 23:42 . 2009-04-22 15:14 -------- d-----w- c:\program files\Java
2010-09-20 15:07 . 2010-07-19 21:09 -------- d-----w- c:\users\252468\AppData\Roaming\IrfanView
2010-09-17 00:41 . 2010-08-18 00:35 -------- d-----w- c:\program files\Dl_cats
2010-09-15 21:52 . 2009-04-22 14:57 -------- d-----w- c:\programdata\Microsoft Help
2010-09-03 12:41 . 2009-04-22 15:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-29 20:44 . 2009-06-01 18:45 -------- d-----w- c:\program files\Atheros
2010-08-18 19:16 . 2010-08-18 19:16 -------- d-----w- c:\program files\BitZipper
2010-08-18 19:16 . 2010-08-18 19:16 -------- d-----w- c:\users\252468\AppData\Roaming\BitZipper
2010-08-18 00:35 . 2010-08-18 00:35 -------- d-----w- c:\program files\Dell AIO Printer 946
2010-08-11 23:06 . 2009-04-22 14:45 -------- d-----w- c:\program files\Microsoft Works
2010-08-11 22:02 . 2010-08-11 22:02 -------- d-----w- c:\users\Guest\AppData\Roaming\Apple Computer
2010-08-04 22:53 . 2010-08-04 22:53 -------- d-----w- c:\program files\Veoh Networks
2010-07-31 01:49 . 2010-07-31 01:24 -------- d-----w- c:\users\252468\AppData\Roaming\vlc
2010-07-31 01:24 . 2010-07-31 01:24 -------- d-----w- c:\program files\VideoLAN
2010-07-29 06:30 . 2010-08-11 16:22 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 16:22 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-17 10:00 . 2010-07-11 13:39 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 22:18 . 2010-07-16 22:18 98304 ----a-w- c:\programdata\WebEx\WebEx\500\webexrcd\atplayim.dll
2010-07-16 22:18 . 2010-07-16 22:18 5702 ----a-w- c:\programdata\WebEx\WebEx\500\atkbctl.dll
2010-07-16 22:18 . 2010-07-16 22:18 24576 ----a-w- c:\programdata\WebEx\WebEx\500\atmemmgr.dll
2010-07-15 20:25 . 2009-10-12 00:27 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 20:25 . 2010-07-15 20:25 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 20:24 . 2009-10-12 00:27 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 06:25 . 2010-08-11 16:22 978432 ----a-w- c:\windows\system32\wininet.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\252468\New folder ----



((((((((((((((((((((((((((((( SnapShot@2010-09-24_23.15.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-23 20:00 . 2010-09-27 15:37 34252 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 04:55 . 2010-09-24 04:17 45608 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-09-27 15:37 45608 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-11-19 16:50 . 2010-09-24 04:17 11460 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-590053503-1467220447-1855646765-1000_UserData.bin
+ 2009-11-19 16:50 . 2010-09-27 15:37 11460 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-590053503-1467220447-1855646765-1000_UserData.bin
- 2009-11-29 21:11 . 2010-09-24 23:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-29 21:11 . 2010-09-27 16:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-29 21:11 . 2010-09-27 16:00 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-29 21:11 . 2010-09-24 23:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-29 21:11 . 2010-09-27 16:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-29 21:11 . 2010-09-24 23:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-27 15:28 . 2010-09-27 15:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-09-24 16:32 . 2010-09-24 16:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-09-27 15:28 . 2010-09-27 15:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-09-24 16:32 . 2010-09-24 16:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-11-19 20:25 . 2010-09-27 04:18 320986 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2010-07-11 13:39 . 2010-04-12 22:29 153376 c:\windows\System32\javaws.exe
+ 2010-09-26 23:42 . 2010-07-17 10:00 153376 c:\windows\System32\javaws.exe
- 2010-07-11 13:39 . 2010-04-12 22:29 145184 c:\windows\System32\javaw.exe
+ 2010-09-26 23:42 . 2010-07-17 10:00 145184 c:\windows\System32\javaw.exe
- 2010-07-11 13:39 . 2010-04-12 22:29 145184 c:\windows\System32\java.exe
+ 2010-09-26 23:42 . 2010-07-17 10:00 145184 c:\windows\System32\java.exe
+ 2010-09-26 23:42 . 2010-09-26 23:42 183808 c:\windows\Installer\20477d1.msi
- 2009-07-14 02:03 . 2010-09-24 16:46 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:03 . 2010-09-27 04:28 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 51712]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"DLCICATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCItime.dll" [2006-10-20 73728]
"dlcimon.exe"="c:\program files\Dell AIO Printer 946\dlcimon.exe" [2007-01-12 435696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\252468\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ScreenHunter 5.1 Free.lnk - c:\program files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe [2009-12-26 5689344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 PAC207;Webcam 1200;c:\windows\system32\DRIVERS\PFC027.SYS [2007-06-29 611584]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-02 1343400]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-15 216400]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-15 243024]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-20 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
S2 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe [2006-12-08 537480]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\HPCeeScheduleFor252468.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 18:34]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\users\252468\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
FF - ProfilePath - c:\users\252468\AppData\Roaming\Mozilla\Firefox\Profiles\kl5qu4jw.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=616163&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\252468\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-09-27 11:41:08
ComboFix-quarantined-files.txt 2010-09-27 16:41
ComboFix2.txt 2010-09-24 23:18

Pre-Run: 228,645,818,368 bytes free
Post-Run: 228,604,936,192 bytes free

- - End Of File - - 381691BCA53BC06FD0BA048C29B4833D

 

[greenly]

HijackThis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:06:40 PM, on 9/27/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\Dell AIO Printer 946\DLCImon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [DLCICATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcimon.exe] "C:\Program Files\Dell AIO Printer 946\dlcimon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - Startup: ScreenHunter 5.1 Free.lnk = C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\252468\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} (HP Product Detection Control) - https://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: dlci_device - - C:\Windows\system32\dlcicoms.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9324 bytes

 

[Bobbye]

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
RegLock:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Please reopen HijackThis to 'do system scan only.' Check each of the following, if present: Note: Optional removals are in green:
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5">> See Option 1.
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [DLCICATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcimon.exe] "C:\Program Files\Dell AIO Printer 946\dlcimon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

Close all Windows except HijackThis anc click on "Fix Checked."

Option: The files in green are not malware. They are entries running in the background, probably started on boot. They do not need to be running unless you are using it. They use resources from the system.

To help, for any you want to keep off of Startup, find the corresponding file on the Startup menu and Uncheck it.
For any that are started by a Service:
Start> Run> type in services.msc> double click to open the Service> Change Startup type to Manual. For instance:
HP Health Check Service
Cyberlink RichVideo Service(CRVS)

 

[greenly]

ComboFix log

ComboFix 10-09-29.01 - 252468 09/29/2010 16:28:49.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3003.2016 [GMT -5:00]
Running from: c:\users\252468\Desktop\ComboFix.exe
Command switches used :: c:\users\252468\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\252468\AppData\Roaming\EurekaLog

.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-29 21:33 . 2010-09-29 21:33 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-29 21:33 . 2010-09-29 21:33 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-09-29 21:33 . 2010-09-29 21:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-29 21:27 . 2010-09-29 21:27 -------- d-----w- C:\32788R22FWJFW
2010-09-29 13:56 . 2010-03-04 04:04 146304 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2010-09-29 13:56 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-09-28 18:08 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-27 17:05 . 2010-09-27 17:05 388096 ----a-r- c:\users\252468\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-27 17:05 . 2010-09-27 17:05 -------- d-----w- c:\program files\Trend Micro
2010-09-27 00:30 . 2010-09-27 00:30 61440 ----a-w- c:\programdata\WebEx\WebEx\500\libfaac.dll
2010-09-27 00:30 . 2010-09-27 00:30 237568 ----a-w- c:\programdata\WebEx\WebEx\500\mpeg4convert.dll
2010-09-26 23:42 . 2010-09-26 23:42 -------- d-----w- c:\windows\Sun
2010-09-26 23:42 . 2010-09-26 23:42 -------- d-----w- c:\program files\Common Files\Java
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\users\252468\AppData\Roaming\Malwarebytes
2010-09-24 03:09 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\programdata\Malwarebytes
2010-09-24 03:09 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-24 01:37 . 2010-09-24 01:37 -------- d-----w- c:\program files\ESET
2010-09-23 16:59 . 2010-09-23 16:59 1377632 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
2010-09-23 16:59 . 2010-09-23 16:59 942432 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-09-23 16:59 . 2010-09-23 16:59 598368 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-09-23 16:59 . 2010-09-23 16:59 4371296 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-09-23 16:59 . 2010-09-23 16:59 300896 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-09-23 16:58 . 2010-09-23 16:58 1690952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-09-20 14:56 . 2010-09-20 14:56 -------- d-----w- c:\users\252468\New folder
2010-09-15 16:29 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-02 00:01 . 2010-09-02 00:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\users\252468\AppData\Roaming\DVDVideoSoftIEHelpers
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\program files\DVDVideoSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-29 21:12 . 2009-04-22 15:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-27 00:30 . 2010-07-16 22:17 2084864 ----a-w- c:\programdata\WebEx\WebEx\500\atpdmod.dll
2010-09-27 00:30 . 2010-07-16 22:17 188416 ----a-w- c:\programdata\WebEx\WebEx\500\nbrres.dll
2010-09-27 00:30 . 2010-07-16 22:17 118856 ----a-w- c:\programdata\WebEx\WebEx\500\atas32.dll
2010-09-27 00:30 . 2010-07-16 22:17 331776 ----a-w- c:\programdata\WebEx\WebEx\500\nbrpd.dll
2010-09-27 00:30 . 2010-07-16 22:17 396680 ----a-w- c:\programdata\WebEx\WebEx\500\atasctrl.dll
2010-09-27 00:30 . 2010-07-16 22:17 623928 ----a-w- c:\programdata\WebEx\WebEx\500\nbrpfw.dll
2010-09-26 23:42 . 2009-04-22 15:14 -------- d-----w- c:\program files\Java
2010-09-20 15:07 . 2010-07-19 21:09 -------- d-----w- c:\users\252468\AppData\Roaming\IrfanView
2010-09-17 00:41 . 2010-08-18 00:35 -------- d-----w- c:\program files\Dl_cats
2010-09-15 21:52 . 2009-04-22 14:57 -------- d-----w- c:\programdata\Microsoft Help
2010-08-29 20:44 . 2009-06-01 18:45 -------- d-----w- c:\program files\Atheros
2010-08-18 19:16 . 2010-08-18 19:16 -------- d-----w- c:\program files\BitZipper
2010-08-18 19:16 . 2010-08-18 19:16 -------- d-----w- c:\users\252468\AppData\Roaming\BitZipper
2010-08-18 00:35 . 2010-08-18 00:35 -------- d-----w- c:\program files\Dell AIO Printer 946
2010-08-11 23:06 . 2009-04-22 14:45 -------- d-----w- c:\program files\Microsoft Works
2010-08-11 22:02 . 2010-08-11 22:02 -------- d-----w- c:\users\Guest\AppData\Roaming\Apple Computer
2010-08-04 22:53 . 2010-08-04 22:53 -------- d-----w- c:\program files\Veoh Networks
2010-07-29 06:30 . 2010-08-11 16:22 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 16:22 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-17 10:00 . 2010-07-11 13:39 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 22:18 . 2010-07-16 22:18 98304 ----a-w- c:\programdata\WebEx\WebEx\500\webexrcd\atplayim.dll
2010-07-16 22:18 . 2010-07-16 22:18 5702 ----a-w- c:\programdata\WebEx\WebEx\500\atkbctl.dll
2010-07-16 22:18 . 2010-07-16 22:18 24576 ----a-w- c:\programdata\WebEx\WebEx\500\atmemmgr.dll
2010-07-15 20:25 . 2009-10-12 00:27 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 20:25 . 2010-07-15 20:25 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 20:24 . 2009-10-12 00:27 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 51712]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"DLCICATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCItime.dll" [2006-10-20 73728]
"dlcimon.exe"="c:\program files\Dell AIO Printer 946\dlcimon.exe" [2007-01-12 435696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\252468\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ScreenHunter 5.1 Free.lnk - c:\program files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe [2009-12-26 5689344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 PAC207;Webcam 1200;c:\windows\system32\DRIVERS\PFC027.SYS [2007-06-29 611584]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-02 1343400]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-15 216400]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-15 243024]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-20 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
S2 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe [2006-12-08 537480]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\HPCeeScheduleFor252468.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 18:34]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\users\252468\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
FF - ProfilePath - c:\users\252468\AppData\Roaming\Mozilla\Firefox\Profiles\kl5qu4jw.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=616163&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\252468\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4800)
c:\program files\HP\QuickPlay\Kernel\Video\CLMedia.dll
c:\program files\Common Files\muvee Technologies\MainConcept3(muvee)\muveel2ad.ax
c:\program files\Common Files\muvee Technologies\MainConcept3(muvee)\muveempgadec.dll
c:\program files\Common Files\muvee Technologies\MainConcept3(muvee)\muveempgdmx.ax
c:\program files\Common Files\muvee Technologies\MainConcept3(muvee)\muveemp4demux.ax
.
Completion time: 2010-09-29 16:35:00
ComboFix-quarantined-files.txt 2010-09-29 21:34
ComboFix2.txt 2010-09-27 16:41
ComboFix3.txt 2010-09-24 23:18

Pre-Run: 228,976,537,600 bytes free
Post-Run: 228,943,568,896 bytes free

- - End Of File - - 448464F6C571900824AED94BBCD058A9

 

[greenly]

virus prevention

Hi Bobbye,

I will soon be doing daily online financial transactions over this laptop. I currently only have AVG for virus protection. My question is what would you recommend for virus prevention in the future?

Do you have any personal recommendation for usful programs, or adivise concerning virus prevention? Also can you recommand any good articles or threads about this topic?

It seems to me most threads here are about what to do when a computer is infected, but what is best to do to prevent viruses and infections in the future?

Thank you,

greenly

 

[Bobbye]

It seems to me most threads here are about what to do when a computer is infected, but what is best to do to prevent viruses and infections in the future?

That's because this is the Virus and Malware Forum! But most of us include a section after removing the cleaning tools with security advice. I will leave yours.

Did you run the script I had for the locked Registry Files in Reply #19? It was right above the list of entries to remove in HJT. I need those open, so let's do the following.

First: Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
RegLock:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Second: Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes	
  :Files  
  c:\users\252468\New folder
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
When this is done, I'll have you remove the cleaning tools and logs and give you the security information. Security must be layered to be the most affective. I'll give you that information.

 

[greenly]

OTM log

Hi Bobbye,

Did you run the script I had for the locked Registry Files in Reply #19? It was right above the list of entries to remove in HJT.

Yes, I did this ComboFix script yesterday and also removed the given entries in HJT, see my reply #20


**************************************************************


Below is the log for OTM

All processes killed
========== PROCESSES ==========
========== FILES ==========
c:\users\252468\New folder folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: 252468
->Temp folder emptied: 3262499 bytes
->Temporary Internet Files folder emptied: 133113136 bytes
->Java cache emptied: 7328044 bytes
->FireFox cache emptied: 42515629 bytes
->Flash cache emptied: 11345 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 45659819 bytes

Total Files Cleaned = 221.00 mb


OTM by OldTimer - Version 3.1.16.1 log created on 09302010_211328

Files moved on Reboot...
C:\Users\252468\AppData\Local\Temp\ehmsas.txt moved successfully.
C:\Users\252468\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EK5X73PA\sh24[1].html moved successfully.
C:\Users\252468\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EK5X73PA\topic153721-2[1].html moved successfully.
C:\Users\252468\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\74LIUEVU\adsCAPYTXVQ.htm moved successfully.
C:\Users\252468\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Users\252468\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot...

 

[Bobbye]

Okay, I saw your reply and all the same files are still locked. I can leave them locked and not be sure what's in them. Or you can run the script again.

If the problems have been resolved, remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Tips for added security and safer browsing:
(Note: some fo the programs below may not work on Windows 7 or a 64 bit OS)

1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
   This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
   
2. Have layered Security:
   • Antivirus Software(only one):Both of the following programs are free and known to be good:
     [o]Avira Free
     [o]Avast Home
   • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
     [o]Comodo
     [o]Zone Alarm
   • Antispyware: I recommend all of the following:
     [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
   [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
   [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
   [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
   
3. Stay current on updates:
   [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
   [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
   [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
   
4. Reset Cookies to prevent Tracking Cookies:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   
5. Do regular Maintenance
   Remove Temporary Internet Files regularly:
   [o]ATF Cleaner by Atribune
   OR
   [o]TFC
   Disable and Enable System Restore:
   [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
   
6. Practice Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

 

[greenly]

ComboFix log (locked files)

Hi Bobbye,

Yes, thanks to you everything seems to be working perfectly. Just in case I ran your script from above for ComboFix again and the log is below. I won't delete or unistall anything yet untill you see this log and make sure everything is OK.

Thank you for the added security tips and program recomandations. I will try and do as you listed. For anti-virus you recommend Avira or Avast, from you expereince are there advantages to them over AVG Free Edition?

Also this computer is a laptop and I frequently use it outside the house and connect to public wireless networks. If I do online financial transactions over these public networks what would be a few crucial steps I'd have to take to ensure best security? I will follow all your recomandations from above, but is there something you would include for public Wi-Fi or is it enough to do as you advised above?

Thank you,

greenly

ComboFix 10-10-01.07 - 252468 10/02/2010 20:56:28.4.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3003.1745 [GMT -5:00]
Running from: c:\users\252468\Desktop\virus removal\later\ComboFix.exe
Command switches used :: c:\users\252468\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
.

2010-10-03 02:00 . 2010-10-03 02:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-10-03 02:00 . 2010-10-03 02:00 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-10-03 02:00 . 2010-10-03 02:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-01 02:13 . 2010-10-01 02:13 -------- d-----w- C:\_OTM
2010-09-29 13:56 . 2010-03-04 04:04 146304 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2010-09-29 13:56 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-09-28 18:08 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-27 17:05 . 2010-09-27 17:05 388096 ----a-r- c:\users\252468\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-27 17:05 . 2010-09-27 17:05 -------- d-----w- c:\program files\Trend Micro
2010-09-27 00:30 . 2010-09-27 00:30 61440 ----a-w- c:\programdata\WebEx\WebEx\500\libfaac.dll
2010-09-27 00:30 . 2010-09-27 00:30 237568 ----a-w- c:\programdata\WebEx\WebEx\500\mpeg4convert.dll
2010-09-26 23:42 . 2010-09-26 23:42 -------- d-----w- c:\windows\Sun
2010-09-26 23:42 . 2010-09-26 23:42 -------- d-----w- c:\program files\Common Files\Java
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\users\252468\AppData\Roaming\Malwarebytes
2010-09-24 03:09 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-24 03:09 . 2010-09-24 03:09 -------- d-----w- c:\programdata\Malwarebytes
2010-09-24 03:09 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-24 01:37 . 2010-09-24 01:37 -------- d-----w- c:\program files\ESET
2010-09-23 16:59 . 2010-09-23 16:59 1377632 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
2010-09-23 16:59 . 2010-09-23 16:59 942432 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-09-23 16:59 . 2010-09-23 16:59 598368 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-09-23 16:59 . 2010-09-23 16:59 4371296 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-09-23 16:59 . 2010-09-23 16:59 300896 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-09-23 16:58 . 2010-09-23 16:58 1690952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-09-15 16:29 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-01 05:02 . 2010-08-18 00:35 -------- d-----w- c:\program files\Dl_cats
2010-09-29 21:12 . 2009-04-22 15:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-27 00:30 . 2010-07-16 22:17 2084864 ----a-w- c:\programdata\WebEx\WebEx\500\atpdmod.dll
2010-09-27 00:30 . 2010-07-16 22:17 188416 ----a-w- c:\programdata\WebEx\WebEx\500\nbrres.dll
2010-09-27 00:30 . 2010-07-16 22:17 118856 ----a-w- c:\programdata\WebEx\WebEx\500\atas32.dll
2010-09-27 00:30 . 2010-07-16 22:17 331776 ----a-w- c:\programdata\WebEx\WebEx\500\nbrpd.dll
2010-09-27 00:30 . 2010-07-16 22:17 396680 ----a-w- c:\programdata\WebEx\WebEx\500\atasctrl.dll
2010-09-27 00:30 . 2010-07-16 22:17 623928 ----a-w- c:\programdata\WebEx\WebEx\500\nbrpfw.dll
2010-09-26 23:42 . 2009-04-22 15:14 -------- d-----w- c:\program files\Java
2010-09-20 15:07 . 2010-07-19 21:09 -------- d-----w- c:\users\252468\AppData\Roaming\IrfanView
2010-09-15 21:52 . 2009-04-22 14:57 -------- d-----w- c:\programdata\Microsoft Help
2010-09-02 00:01 . 2010-09-02 00:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\users\252468\AppData\Roaming\DVDVideoSoftIEHelpers
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-01 14:22 . 2010-09-01 14:22 -------- d-----w- c:\program files\DVDVideoSoft
2010-08-29 20:44 . 2009-06-01 18:45 -------- d-----w- c:\program files\Atheros
2010-08-18 19:16 . 2010-08-18 19:16 -------- d-----w- c:\program files\BitZipper
2010-08-18 19:16 . 2010-08-18 19:16 -------- d-----w- c:\users\252468\AppData\Roaming\BitZipper
2010-08-18 00:35 . 2010-08-18 00:35 -------- d-----w- c:\program files\Dell AIO Printer 946
2010-08-11 23:06 . 2009-04-22 14:45 -------- d-----w- c:\program files\Microsoft Works
2010-08-11 22:02 . 2010-08-11 22:02 -------- d-----w- c:\users\Guest\AppData\Roaming\Apple Computer
2010-08-04 22:53 . 2010-08-04 22:53 -------- d-----w- c:\program files\Veoh Networks
2010-07-29 06:30 . 2010-08-11 16:22 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 16:22 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-17 10:00 . 2010-07-11 13:39 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 22:18 . 2010-07-16 22:18 98304 ----a-w- c:\programdata\WebEx\WebEx\500\webexrcd\atplayim.dll
2010-07-16 22:18 . 2010-07-16 22:18 5702 ----a-w- c:\programdata\WebEx\WebEx\500\atkbctl.dll
2010-07-16 22:18 . 2010-07-16 22:18 24576 ----a-w- c:\programdata\WebEx\WebEx\500\atmemmgr.dll
2010-07-15 20:25 . 2009-10-12 00:27 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 20:25 . 2010-07-15 20:25 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 20:24 . 2009-10-12 00:27 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 51712]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"DLCICATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCItime.dll" [2006-10-20 73728]
"dlcimon.exe"="c:\program files\Dell AIO Printer 946\dlcimon.exe" [2007-01-12 435696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\252468\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ScreenHunter 5.1 Free.lnk - c:\program files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe [2009-12-26 5689344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

R3 PAC207;Webcam 1200;c:\windows\system32\DRIVERS\PFC027.SYS [2007-06-29 611584]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-02 1343400]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-15 216400]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-15 243024]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-20 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe [2006-12-08 537480]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\HPCeeScheduleFor252468.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 18:34]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\users\252468\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
FF - ProfilePath - c:\users\252468\AppData\Roaming\Mozilla\Firefox\Profiles\kl5qu4jw.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=616163&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\252468\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-10-02 21:02:34
ComboFix-quarantined-files.txt 2010-10-03 02:02
ComboFix2.txt 2010-09-29 21:35
ComboFix3.txt 2010-09-27 16:41
ComboFix4.txt 2010-09-24 23:18

Pre-Run: 229,527,900,160 bytes free
Post-Run: 229,489,012,736 bytes free

- - End Of File - - 693A7E42445032BFE5D39D60199E270D