PDA

View Full Version : Multiple iexplorer.exe process running.Thanks



grimaceivxx
2010-07-14, 02:15
Hello, thanks in advance for the help again... haha. First off I have avira free edition and avg the other day avira blocked some malware I kept getting notifications of a threat blocked and ran the scan with that found some hidden objects but nothing really... then a I.E. window popped up with some fake game sites etc... that only happened one time. I then ran spy bot and it found many cookie and tracker entries no Trojans or what appeared to be threats, ran it again it it said nothing was found BUT, when I view my processes in the task manager I have up to 7 iexplorer.exe process running and they are eating up memory and obviously a sign of a problem. thanks again.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Grimace at 15:46:10.91 on Tue 07/13/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1018 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
svchost.exe 4
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
svchost.exe 4
C:\Windows\system32\WUDFHost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Grimace\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\users\grimace\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\grimace\appdata\roaming\mozilla\firefox\profiles\0oy2l2qs.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/\r
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-6 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-6 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-6 242896]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-21 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-21 267432]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-14 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-14 308064]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-21 60936]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-7-12 1153368]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\ae1000va.sys [2010-7-5 836384]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2004-10-6 283904]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2010-1-5 43392]
S3 dhdusb.NTx86;Dynex Wireless G USB Network Adapter Service;c:\windows\system32\drivers\bcmusbdhdlh.sys [2010-3-18 238072]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-1-6 21504]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-07-13 06:14:03 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-07-13 04:13:13 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-13 04:13:13 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-05 22:32:16 836384 ----a-w- c:\windows\system32\drivers\ae1000va.sys
2010-07-05 22:31:52 0 d-----w- c:\programdata\Cisco Systems
2010-07-03 10:08:36 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2010-07-03 10:08:34 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-07-03 10:08:34 21320 ----a-w- c:\windows\system32\authuitu.dll
2010-07-03 10:08:14 0 d-----w- c:\users\grimace\appdata\roaming\TuneUp Software
2010-07-03 10:07:40 0 d-----w- c:\program files\TuneUp Utilities 2010
2010-07-03 10:06:44 0 d-----w- c:\programdata\TuneUp Software
2010-07-03 10:06:38 0 d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-07-01 06:47:07 0 d-----w- c:\users\grimace\.BayPhoto
2010-07-01 06:46:53 0 d-----w- c:\users\grimace\.roescache
2010-06-24 05:57:26 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 05:57:25 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 05:57:25 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 05:57:25 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 05:57:25 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-24 05:55:56 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-24 05:55:56 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-18 07:15:15 0 d-----w- c:\program files\iPod
2010-06-18 07:09:51 0 d-----w- c:\program files\Bonjour
2010-06-13 23:58:10 0 d-----w- c:\programdata\Google
2010-06-13 23:53:36 0 d-----w- c:\users\grimace\appdata\roaming\GetRightToGo

==================== Find3M ====================

2010-07-05 22:32:46 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-05 22:32:46 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-05 22:32:45 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-03 02:24:37 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-18 23:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 05:06:46 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-29 05:06:46 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-29 05:06:46 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-04-23 14:13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-20 03:47:44 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-01-07 10:45:46 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-07 05:12:59 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-01-07 03:30:46 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:47:44.73 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 1/4/2010 8:54:36 PM
System Uptime: 7/13/2010 3:38:16 PM (0 hours ago)

Motherboard: Dell Inc. | | 0WG864
Processor: Intel(R) Core(TM)2 CPU 4300 @ 1.80GHz | Microprocessor | 1795/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 932 GiB total, 733.968 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {ff646f80-8def-11d2-9449-00105a075f6b}
Description: pcouffin device ...
Device ID: ROOT\PCOUFFIN\0000
Manufacturer:
Name: pcouffin device ...
PNP Device ID: ROOT\PCOUFFIN\0000
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 9.0
Avira AntiVir Personal - Free Antivirus
Bay Photo
Bonjour
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DVDFab Platinum 4.0.3.6 Beta Registered by AxMan
Dynex Wireless G USB Network Adapter Setup
ERUNT 1.1j
GIMP 2.6.8
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 17
LimeWire 5.5.8
Logitech Desktop Messenger
Logitech QuickCam Driver Package
Logitech Vid
Logitech Webcam Software
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.6)
MSVCRT
NVIDIA Drivers
QuickTime
Security Update for CAPICOM (KB931906)
Spybot - Search & Destroy
TuneUp Utilities
TuneUp Utilities Language Pack (en-US)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.0.3
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

7/8/2010 6:50:59 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SENS service.
7/7/2010 7:13:46 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer MIKE-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7251C68D-ABF4-49F2-8D3D-CFB903282A. The master browser is stopping or an election is being forced.
7/13/2010 2:58:36 PM, Error: EventLog [6008] - The previous system shutdown at 2:57:09 PM on 7/13/2010 was unexpected.
7/12/2010 8:09:18 PM, Error: volsnap [27] - The shadow copies of volume C: were aborted during detection because a critical control file could not be opened.
7/12/2010 6:45:35 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.0.0.51 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
7/12/2010 6:37:49 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.0.0.50 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
7/12/2010 6:36:14 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.0.0.5 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
7/12/2010 6:21:32 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer MAC002241304566 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7251C68D-ABF4-49F2-8D3D-CF. The master browser is stopping or an election is being forced.
7/12/2010 6:21:25 PM, Error: iaStorV [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
7/12/2010 1:04:40 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy41.
7/12/2010 1:04:34 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy37.
7/12/2010 1:04:22 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy36.
7/12/2010 1:04:16 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy35.
7/12/2010 1:04:09 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy34.
7/12/2010 1:04:01 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy31.
7/12/2010 1:03:55 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy28.
7/12/2010 1:03:50 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy27.
7/12/2010 1:03:45 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy26.
7/11/2010 3:46:24 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.0.0.3 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
7/11/2010 2:36:02 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.10 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
7/11/2010 2:23:02 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.4 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
7/11/2010 10:32:31 PM, Error: EventLog [6008] - The previous system shutdown at 10:30:03 PM on 7/11/2010 was unexpected.
7/11/2010 1:19:46 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.112 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
7/11/2010 1:16:29 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanWorkstation service.

==== End Of File ===========================

shelf life
2010-07-19, 23:35
hi,

Your log is a few days old. Post back if you still need help.

grimaceivxx
2010-07-20, 05:26
Heya Shelf, I do still need assistance yes... Im close to just wiping it all but, I'd really prefer not to ya know? Anyways yes please your help would be much appreciated I got Trojans and all kinds of nastyness going on... thanks again.

shelf life
2010-07-21, 00:20
Ok. Lets see if Malwarebytes can dig up anything. Also you can uninstall one of your AV: AVG or Avast, via the add/remove programs panel. Two is not better than one with AV.

Run Malwarebytes and see if your malware signs improve by browsing a few web pages.

If so--> just post the malwarebytes log.

If not--> We will use Combofix. There is a guide to read first. Read the guide then apply the directions on your own machine. Post the combofix log along with the Malwarebytes log.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

grimaceivxx
2010-07-21, 10:19
Thanks for the speedy reply, yeah found a trojan in a file for something I should know better to dl and still having many iexplorer.exe files running in the background and my computer has a lot of trouble trying to shut down etc anyway....

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4334

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

7/20/2010 11:14:52 PM
mbam-log-2010-07-20 (23-14-52).txt

Scan type: Full scan (C:\|)
Objects scanned: 283618
Time elapsed: 1 hour(s), 17 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Grimace\Documents\Downloads\TuneUP.Utilities.2010.Incl.Serial.WinAll-iND\keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.




ComboFix 10-07-20.03 - Grimace 07/20/2010 23:56:12.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1007 [GMT -7:00]
Running from: c:\users\Grimace\Downloads\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Grimace\AppData\Roaming\inst.exe
c:\users\Grimace\AppData\Roaming\Microsoft\~DFK955d9c.tmp
c:\users\Grimace\AppData\Roaming\Microsoft\~DFK98e745.tmp
c:\users\Grimace\AppData\Roaming\Microsoft\1eaadjc.dll
c:\users\Grimace\AppData\Roaming\Microsoft\bass.dll
c:\users\Grimace\AppData\Roaming\Microsoft\kfgresk.dll
c:\users\Grimace\AppData\Roaming\Microsoft\mjcriu.dll
c:\users\Grimace\AppData\Roaming\Microsoft\peaadje.dll
c:\users\Grimace\AppData\Roaming\Microsoft\qwadjb.dll
c:\users\Grimace\AppData\Roaming\Microsoft\rsaadjd.dll
c:\windows\system32\%appdata%

.
((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))
.

2010-07-21 06:48 . 2010-07-21 06:52 -------- d-----w- C:\32788R22FWJFW
2010-07-21 04:36 . 2010-07-21 04:36 -------- d-----w- c:\users\Grimace\AppData\Roaming\Malwarebytes
2010-07-21 04:36 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-21 04:36 . 2010-07-21 04:36 -------- d-----w- c:\programdata\Malwarebytes
2010-07-21 04:36 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-21 04:36 . 2010-07-21 06:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 05:55 . 2010-07-20 05:55 -------- d-----w- c:\program files\iPod
2010-07-13 22:44 . 2010-07-13 22:44 -------- d-----w- c:\program files\ERUNT
2010-07-13 04:13 . 2010-07-13 06:08 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-13 04:13 . 2010-07-13 04:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-12 05:37 . 2010-07-12 05:37 -------- d-----w- c:\users\test\AppData\Roaming\Avira
2010-07-12 05:29 . 2010-07-12 05:29 -------- d-----w- c:\users\test\AppData\Roaming\TuneUp Software
2010-07-12 04:06 . 2010-07-12 04:06 0 ----a-w- c:\windows\nsreg.dat
2010-07-05 22:32 . 2010-02-12 20:36 836384 ----a-w- c:\windows\system32\drivers\ae1000va.sys
2010-07-05 22:31 . 2010-07-05 22:31 -------- d-----w- c:\programdata\Cisco Systems
2010-07-03 10:08 . 2009-10-30 22:08 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2010-07-03 10:08 . 2009-10-30 22:01 21320 ----a-w- c:\windows\system32\authuitu.dll
2010-07-03 10:08 . 2009-10-30 22:01 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-07-03 10:08 . 2010-07-03 10:08 -------- d-----w- c:\users\Grimace\AppData\Roaming\TuneUp Software
2010-07-03 10:07 . 2010-07-03 10:08 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-07-03 10:06 . 2010-07-03 10:07 -------- d-----w- c:\programdata\TuneUp Software
2010-07-03 10:06 . 2010-07-03 10:06 -------- d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-07-01 06:47 . 2010-07-01 06:53 -------- d-----w- c:\users\Grimace\.BayPhoto
2010-07-01 06:46 . 2010-07-01 06:53 -------- d-----w- c:\users\Grimace\.roescache
2010-06-24 06:05 . 2010-06-24 06:05 -------- d-----w- c:\program files\Microsoft.NET
2010-06-24 05:57 . 2009-11-08 17:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 05:57 . 2009-11-08 17:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 05:57 . 2009-11-08 17:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 05:57 . 2009-11-08 17:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 05:57 . 2009-11-08 17:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-24 05:55 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-24 05:55 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-21 06:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-21 04:02 . 2010-01-07 04:07 -------- d-----w- c:\programdata\avg9
2010-07-21 03:54 . 2010-07-21 03:54 1615200 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-07-21 03:53 . 2010-07-21 03:53 1373536 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
2010-07-21 03:53 . 2010-07-21 03:53 1107296 ----a-w- c:\programdata\avg9\update\backup\avgxpl.dll
2010-07-21 03:53 . 2010-07-21 03:53 921440 ----a-w- c:\programdata\avg9\update\backup\avgemc.exe
2010-07-21 03:53 . 2010-07-21 03:53 4368224 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-07-20 05:55 . 2010-05-22 18:30 -------- d-----w- c:\program files\iTunes
2010-07-20 05:55 . 2010-01-06 07:12 -------- d-----w- c:\program files\Common Files\Apple
2010-07-20 05:51 . 2010-07-20 05:51 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
2010-07-17 22:13 . 2010-01-07 05:35 -------- d-----w- c:\users\Grimace\AppData\Roaming\uTorrent
2010-07-17 02:35 . 2010-07-17 02:35 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-07-17 02:35 . 2010-07-17 02:35 216200 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-07-17 02:34 . 2010-07-17 02:34 1038688 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-07-17 02:34 . 2010-07-17 02:34 813336 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-07-17 02:34 . 2010-07-17 02:34 624920 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-07-17 02:34 . 2010-07-17 02:34 1690464 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-07-12 05:28 . 2010-07-12 05:28 49168 ----a-w- c:\users\test\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-03 10:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-07-01 05:26 . 2010-01-06 06:50 -------- d-----w- c:\users\Grimace\AppData\Roaming\vlc
2010-06-23 07:26 . 2010-01-10 07:27 -------- d-----w- c:\users\Grimace\AppData\Roaming\LimeWire
2010-06-18 07:09 . 2010-06-18 07:09 -------- d-----w- c:\program files\Bonjour
2010-06-14 00:57 . 2010-01-09 03:19 -------- d-----w- c:\program files\Google
2010-06-13 23:57 . 2010-01-10 10:57 -------- d-----w- c:\program files\Yahoo!
2010-06-13 23:54 . 2010-06-13 23:53 -------- d-----w- c:\users\Grimace\AppData\Roaming\GetRightToGo
2010-06-13 21:14 . 2010-05-07 06:06 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-13 21:14 . 2010-05-07 06:02 -------- d-----w- c:\programdata\DivX
2010-06-13 21:14 . 2010-06-13 21:14 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-06-13 21:14 . 2010-06-13 21:14 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-13 21:14 . 2010-01-09 03:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-13 21:14 . 2010-01-09 03:19 -------- d-----w- c:\program files\DivX
2010-06-13 21:14 . 2010-06-13 21:14 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-06-13 21:14 . 2010-06-13 21:14 57715 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-06-13 21:13 . 2010-06-13 21:13 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-06-13 21:13 . 2010-06-13 21:13 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-06-13 21:13 . 2010-06-13 21:13 54644 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-06-13 21:13 . 2010-06-13 21:13 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-13 21:12 . 2010-05-07 06:06 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-06-13 21:12 . 2010-05-07 06:06 895256 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-06-10 07:50 . 2010-02-04 07:56 -------- d-----w- c:\program files\DVDFab Platinum 4
2010-06-05 23:42 . 2010-01-22 04:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-26 17:06 . 2010-06-09 02:40 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-09 02:40 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-25 02:35 . 2010-01-05 09:22 -------- d-----w- c:\programdata\NVIDIA
2010-05-21 21:14 . 2010-01-05 06:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-07 06:05 . 2010-05-07 06:05 84040 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-05-04 05:59 . 2010-06-09 02:39 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-09 02:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-09 02:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-09 02:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-09 02:39 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 05:06 . 2010-04-29 05:06 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-29 05:06 . 2010-04-29 05:06 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-29 05:06 . 2010-04-29 05:06 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-04-23 14:13 . 2010-05-27 02:54 2048 ----a-w- c:\windows\system32\tzres.dll
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-11-03 257440]

c:\users\Grimace\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Grimace^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\Grimace\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Grimace^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Grimace\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 14:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2009-07-16 23:35 5458704 ----a-w- c:\program files\Logitech\Logitech Vid\Vid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 21:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 23:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-27 00:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-04-14 10:33 13687328 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-04-14 10:33 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):50,24,0f,40,84,8f,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-896808877-2054827027-2505662573-1000]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2004-10-06 283904]
R3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2005-03-16 43392]
R3 dhdusb.NTx86;Dynex Wireless G USB Network Adapter Service;c:\windows\system32\DRIVERS\bcmusbdhdlh.sys [2008-01-08 238072]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\DRIVERS\ae1000va.sys [2010-02-12 836384]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-07-21 c:\windows\Tasks\User_Feed_Synchronization-{3F263493-9286-4D04-9058-1926A0A96C40}.job
- c:\windows\system32\msfeedssync.exe [2010-06-09 04:30]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\users\Grimace\AppData\Roaming\Mozilla\Firefox\Profiles\0oy2l2qs.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/\r
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ANIWZCS2Service - c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
MSConfigStartUp-D-Link AirPlus XtremeG - c:\program files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
MSConfigStartUp-LogitechCommunicationsManager - c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,be,f0,84,01,43,cb,49,b3,b4,14,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,be,f0,84,01,43,cb,49,b3,b4,14,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\WUDFHost.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2010-07-21 00:14:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-21 07:14

Pre-Run: 772,156,325,888 bytes free
Post-Run: 772,248,948,736 bytes free

- - End Of File - - BBBAEF364A69327283E4309CA6B726EF
:thanks:

shelf life
2010-07-22, 00:14
ok good. We will get one more down load to use. Its called RootRepeal:


Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

FYI: cracks, keygens etc are very popular for carrying malware payloads.

grimaceivxx
2010-07-22, 11:03
Hello... soo I was trying all night to run the RootRepeal program but was unsuccessful that link was bad you posted got a 403 error when navigating to it. googled them, got the program up it would freeze or just shut down. sometimes a dialog box would pop up after 30min or so if scanning it would really just be the outline of a dialog box it would actually show up as my desktop image but with the outline of a box... like it wasn't loading all the way sigh..:confused: any other idears? kaspersky or something? Thanks very much for taking the time to help a brother out! :bigthumb:

shelf life
2010-07-23, 00:05
I guess the that link is no good anymore. Before going on, how is your machine running now? Any more popups, re-directs etc?

grimaceivxx
2010-07-24, 01:29
Hey... machine is running so so it wont shut down or restart properly but, navigating the web seems to be almost normal still a little clunky. Today when I went to start it up the desktop never appeared just the white cursor from the mouse against the black background:confused: shut it off and it came back.Avira was doing a scan and found a virus in a java temp folder... still a lot of the explorer processes running...I've attached a screen shot of my process from task manager.

shelf life
2010-07-24, 02:06
did you uninstall one of your antivirus apps?


The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy41.
7/12/2010 1:04:34 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy37.

See this link (http://www.windows-help-central.com/windows-vista-chkdsk.html)

Do you have several tabs open in Internet Explorer?
Reboot your machine and dont use Internet Explorer. Wait 5 or so minutes then check task manager and see if IE is running "on its own"

grimaceivxx
2010-07-25, 01:25
hey shelf... errrgg did the disc check yesterday took about 5 or 6 hours when I went back to my computer it was off so I switched it on and I after I singed in I received a notification saying windows is recovering from a unexpected shut down... so Im not sure what happened I'll try to run it again today. Computer is running terrible though firefox wouldn't open today, it said it was running in the process's but the browser would never open restart many times nothing finally turned it off waited a bit and it worked. But yes I did uninstall avg so I am running only 1 anti virus app. i am still having many of the iexplorer.exe files running and now something is odd I have 15 svchost.exe process running I don't think I've ever had that many at once before but, I may be mistaken? thanks have a good weekend.

shelf life
2010-07-25, 16:00
We will get two downloads the first is Gmer:
You can follow the directions posted here (http://www.bleepingcomputer.com/forums/topic34773.html) at step number 8. Post the gmer log.

Next is MBRCheck.exe:

Please download MBRcheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop:

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post the log.

grimaceivxx
2010-07-27, 06:55
Hi Shelf... soo still having problems trying to run these rootkit programs I wasn't able to run that first one awhile ago and now this one keeps freezing up and shutting down right when it attempts to scan something labeled "shadow copy" right when it changes to that it locks up :confused: here is the MBR log though it seemed small but thats all there was?...(thats what she said):laugh: :fear:
MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

931 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

shelf life
2010-07-28, 00:30
thats all there was?

the MBRcheck log is pretty short compared to other logs.

We need to write a new master boot record to your drive.
We will use the recovery console to do it.
---------------------------
I removed the instructions which are for XP. The RC is a little different in Vista. I will post back.

grimaceivxx
2010-07-28, 05:30
Wow really?? Do you think that was something caused by the virus or some other problem that occurred? Everything was running good up until I got that ish! Anyways thanks again Mr Life... or Mrs I guess??? :rockon:

shelf life
2010-07-29, 01:13
Do you think that was something caused by the virus or some other problem that occurred?
Yes caused by on board malware. Rather than the Vista Recovery environment we will use the options in the tool itself to write a new master boot record:

Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
again at the bottom of the screen it will say:

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

This time around just continue with the options;
Enter 'Y' and click enter:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 0
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 3

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes

Done! Press ENTER to exit...

If your machine dosnt reboot on its own, please restart it.
Boot up normally, back at the windows desktop rerun MBRcheck.exe

Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).

It will open a black window, please do not fix anything this time (if it gives you an option).

Exit that window and it will produce a log (MBRCheck_date_time).
Please post that log when you reply.

grimaceivxx
2010-07-29, 05:54
Okay thanks a lot again I really really appreciate this I work CS for a company and I do tech support etc. for our programs and stuff so I kinda know what you're going through but, not really but I do really appreciate it and I did donate enough probably buy like 5 or so 40oz hahah thanks again :bigthumb:
MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

931 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

shelf life
2010-07-30, 01:31
your welcome. that log looks just like the first one you posted. did you copy/paste the first (older) one in by mistake?

Run MBRcheck again and the txt file it generates on your desktop should have the current date and time stamp in its name.

grimaceivxx
2010-07-30, 05:23
Hey here is a fresh one just did it but, looks the same? I dunno :confused:
MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

931 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

shelf life
2010-07-31, 02:17
The two logs are the same. Ok we will do two things:

One is you can run combofix again and post its log. It has probably been updated by now and will prompt you to update it when you launch it.

Two: we will use RootRepeal. Before you run it temporarily disable your Antivirus and any anti-malware app that may be running.

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply



soo still having problems trying to run these rootkit programs
What are you trying to run? some software emulators can cause problems with these apps.

grimaceivxx
2010-08-01, 03:09
Still can't run rootrepeal it seems like it is about to finish but, that translucent window pops up and locks it up or it just shuts down... I disabled my anti virus and I'm not running any emulators or cd emulators I do have that "Tuneup Utilities"program but, really thats the only thing I got running? I dunno? here is the combofix log though



ComboFix 10-07-30.01 - Grimace 07/30/2010 21:32:02.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1026 [GMT -7:00]
Running from: c:\users\Grimace\Downloads\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%
.
---- Previous Run -------
.
c:\windows\system32\%appdata%\Microsoft\Windows\IETldCache\index.dat . . . . failed to delete

.
MBR is infected with the Whistler Bootkit !!

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-31 04:38 . 2010-07-31 04:40 -------- d-----w- c:\users\Grimace\AppData\Local\temp
2010-07-31 04:38 . 2010-07-31 04:38 -------- d-----w- c:\users\test\AppData\Local\temp
2010-07-31 04:38 . 2010-07-31 04:38 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-31 04:38 . 2010-07-31 04:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-21 04:36 . 2010-07-21 04:36 -------- d-----w- c:\users\Grimace\AppData\Roaming\Malwarebytes
2010-07-21 04:36 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-21 04:36 . 2010-07-21 04:36 -------- d-----w- c:\programdata\Malwarebytes
2010-07-21 04:36 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-21 04:36 . 2010-07-21 06:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 05:55 . 2010-07-20 05:55 -------- d-----w- c:\program files\iPod
2010-07-13 22:44 . 2010-07-13 22:44 -------- d-----w- c:\program files\ERUNT
2010-07-13 04:13 . 2010-07-13 06:08 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-13 04:13 . 2010-07-13 04:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-12 05:37 . 2010-07-12 05:37 -------- d-----w- c:\users\test\AppData\Roaming\Avira
2010-07-12 05:29 . 2010-07-12 05:29 -------- d-----w- c:\users\test\AppData\Roaming\TuneUp Software
2010-07-12 04:06 . 2010-07-12 04:06 0 ----a-w- c:\windows\nsreg.dat
2010-07-05 22:32 . 2010-02-12 20:36 836384 ----a-w- c:\windows\system32\drivers\ae1000va.sys
2010-07-05 22:31 . 2010-07-05 22:31 -------- d-----w- c:\programdata\Cisco Systems
2010-07-03 10:08 . 2009-10-30 22:08 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2010-07-03 10:08 . 2009-10-30 22:01 21320 ----a-w- c:\windows\system32\authuitu.dll
2010-07-03 10:08 . 2009-10-30 22:01 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-07-03 10:08 . 2010-07-03 10:08 -------- d-----w- c:\users\Grimace\AppData\Roaming\TuneUp Software
2010-07-03 10:07 . 2010-07-03 10:08 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-07-03 10:06 . 2010-07-03 10:07 -------- d-----w- c:\programdata\TuneUp Software
2010-07-03 10:06 . 2010-07-03 10:06 -------- d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-07-01 06:47 . 2010-07-01 06:53 -------- d-----w- c:\users\Grimace\.BayPhoto
2010-07-01 06:46 . 2010-07-01 06:53 -------- d-----w- c:\users\Grimace\.roescache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 22:23 . 2010-01-26 20:24 -------- d-----w- c:\users\Grimace\AppData\Roaming\gtk-2.0
2010-07-21 06:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-21 04:02 . 2010-01-07 04:07 -------- d-----w- c:\programdata\avg9
2010-07-21 03:54 . 2010-07-21 03:54 1615200 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-07-21 03:53 . 2010-07-21 03:53 1373536 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
2010-07-21 03:53 . 2010-07-21 03:53 1107296 ----a-w- c:\programdata\avg9\update\backup\avgxpl.dll
2010-07-21 03:53 . 2010-07-21 03:53 921440 ----a-w- c:\programdata\avg9\update\backup\avgemc.exe
2010-07-21 03:53 . 2010-07-21 03:53 4368224 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-07-20 05:55 . 2010-05-22 18:30 -------- d-----w- c:\program files\iTunes
2010-07-20 05:55 . 2010-01-06 07:12 -------- d-----w- c:\program files\Common Files\Apple
2010-07-20 05:51 . 2010-07-20 05:51 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
2010-07-17 22:13 . 2010-01-07 05:35 -------- d-----w- c:\users\Grimace\AppData\Roaming\uTorrent
2010-07-17 02:35 . 2010-07-17 02:35 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-07-17 02:35 . 2010-07-17 02:35 216200 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-07-17 02:34 . 2010-07-17 02:34 1038688 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-07-17 02:34 . 2010-07-17 02:34 813336 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-07-17 02:34 . 2010-07-17 02:34 624920 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-07-17 02:34 . 2010-07-17 02:34 1690464 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-07-12 05:28 . 2010-07-12 05:28 49168 ----a-w- c:\users\test\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-03 10:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-07-01 05:26 . 2010-01-06 06:50 -------- d-----w- c:\users\Grimace\AppData\Roaming\vlc
2010-06-24 06:05 . 2010-06-24 06:05 -------- d-----w- c:\program files\Microsoft.NET
2010-06-23 07:26 . 2010-01-10 07:27 -------- d-----w- c:\users\Grimace\AppData\Roaming\LimeWire
2010-06-18 07:09 . 2010-06-18 07:09 -------- d-----w- c:\program files\Bonjour
2010-06-14 00:57 . 2010-01-09 03:19 -------- d-----w- c:\program files\Google
2010-06-13 23:57 . 2010-01-10 10:57 -------- d-----w- c:\program files\Yahoo!
2010-06-13 23:54 . 2010-06-13 23:53 -------- d-----w- c:\users\Grimace\AppData\Roaming\GetRightToGo
2010-06-13 21:14 . 2010-05-07 06:06 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-13 21:14 . 2010-05-07 06:02 -------- d-----w- c:\programdata\DivX
2010-06-13 21:14 . 2010-06-13 21:14 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-06-13 21:14 . 2010-06-13 21:14 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-13 21:14 . 2010-01-09 03:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-13 21:14 . 2010-01-09 03:19 -------- d-----w- c:\program files\DivX
2010-06-13 21:14 . 2010-06-13 21:14 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-06-13 21:14 . 2010-06-13 21:14 57715 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-06-13 21:13 . 2010-06-13 21:13 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-06-13 21:13 . 2010-06-13 21:13 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-06-13 21:13 . 2010-06-13 21:13 54644 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-06-13 21:13 . 2010-06-13 21:13 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-13 21:12 . 2010-05-07 06:06 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-06-13 21:12 . 2010-05-07 06:06 895256 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-06-10 07:50 . 2010-02-04 07:56 -------- d-----w- c:\program files\DVDFab Platinum 4
2010-06-05 23:42 . 2010-01-22 04:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-26 17:06 . 2010-06-09 02:40 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-09 02:40 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 21:14 . 2010-01-05 06:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-07 06:05 . 2010-05-07 06:05 84040 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-05-04 05:59 . 2010-06-09 02:39 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-09 02:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-09 02:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-09 02:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-11-03 257440]

c:\users\Grimace\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Grimace^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\Grimace\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Grimace^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Grimace\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 14:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2009-07-16 23:35 5458704 ----a-w- c:\program files\Logitech\Logitech Vid\Vid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 21:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 23:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-27 00:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-04-14 10:33 13687328 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-04-14 10:33 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):50,24,0f,40,84,8f,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-896808877-2054827027-2505662573-1000]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2004-10-06 283904]
R3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2005-03-16 43392]
R3 dhdusb.NTx86;Dynex Wireless G USB Network Adapter Service;c:\windows\system32\DRIVERS\bcmusbdhdlh.sys [2008-01-08 238072]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\DRIVERS\ae1000va.sys [2010-02-12 836384]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-07-30 c:\windows\Tasks\User_Feed_Synchronization-{3F263493-9286-4D04-9058-1926A0A96C40}.job
- c:\windows\system32\msfeedssync.exe [2010-06-09 04:30]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\users\Grimace\AppData\Roaming\Mozilla\Firefox\Profiles\0oy2l2qs.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/\r
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,be,f0,84,01,43,cb,49,b3,b4,14,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,be,f0,84,01,43,cb,49,b3,b4,14,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\WUDFHost.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2010-07-30 21:49:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-31 04:49
ComboFix2.txt 2010-07-21 07:14

Pre-Run: 753,043,050,496 bytes free
Post-Run: 752,917,868,544 bytes free

- - End Of File - - 3CAEAD951D3A455DA2F2666A34A8F271

shelf life
2010-08-01, 03:52
ok. Try using the MBRcheck tool again. If that dosnt work we will try the vista recovery environment. do you have the Vista installation CD\DVD?



1. Run MBRCheck.exe
2. Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
3. Please push the 'Y' key and then press Enter
4. When program ask you Enter your choice: enter (2) and press the Enter key
5. Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
6. Enter 0 and press the Enter key.
7. The program will show Available MBR codes:, followed by a list of operating systems. Please enter 3 for Windows Vista, and then press Enter.
8. The program will prompt for confirmation. Type 'YES' and hit Enter.
9. Left click on the title bar (where program name and path is written).
10. From menu chose Edit -> Select All
11. Hit the Enter key on your keyboard to copy selected text.
12. Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt"
13. Restart your PC.
14. Post the text in "MBRCheck results.txt" here, please.

grimaceivxx
2010-08-01, 04:35
dude... whatever we did after the restart windows would not load it required the boot disc to load and told me to click "repair computer" when choosing my language setup I should of wrote down the error it was like wtm00002 or something but, that is here nor there I did and It all came back :) Im watching my proceseses in the task manager and I actually don't have any iexplorer.exe files running anymore! which is cool but :rockon: but I still have 10or more svchost.exe file running and some are using a lot of memory... here is the log


MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

931 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.



Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

[ 0] Default (Windows Vista)

[ 1] Windows XP

[ 2] Windows Server 2003

[ 3] Windows Vista

[ 4] Windows 2008

[ 5] Windows 7

[-1] Cancel



Please select the MBR code to write to this drive:

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

Please reboot your computer to complete the fix.





Done! Press ENTER to exit...

shelf life
2010-08-01, 05:28
ok good. Not sure what the repair was about but it looks like the MBR write was a success. I have 7 svchost running in task manager.
See link (http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/).
Is your computer free of the malware signs you had before? Maybe popups, page re-direction etc?

grimaceivxx
2010-08-01, 06:10
Ahhh that was a pretty informative thanks for that... I'm pretty anal about my process's and start up programs etc and have never noticed all those but, they all seemed ligament so I dunno I'll read over that a few more times and tool around with some of them... was there anything else I should do or do you think that is it?

shelf life
2010-08-01, 16:56
was there anything else I should do or do you think that is it?
Looks ok to me based on the logs. Hows is it on your end now? Multiply IE's are gone, any other symptoms you may have had gone now?

grimaceivxx
2010-08-02, 00:14
Hello, no more of the process running but, when Avira did a scan it found 5 HEUR/HTML Malware warnings...




Avira AntiVir Personal
Report file date: Sunday, August 01, 2010 12:55

Scanning for 2661693 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : SYSTEM
Computer name : MASTERCONTROL

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 20:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 20:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 02:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 07:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 17:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 03:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 01:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 00:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 19:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 02:57:13
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 02:19:31
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 22:23:34
VBASE008.VDF : 7.10.9.166 2048 Bytes 7/23/2010 22:23:34
VBASE009.VDF : 7.10.9.167 2048 Bytes 7/23/2010 22:23:36
VBASE010.VDF : 7.10.9.168 2048 Bytes 7/23/2010 22:23:36
VBASE011.VDF : 7.10.9.169 2048 Bytes 7/23/2010 22:23:36
VBASE012.VDF : 7.10.9.170 2048 Bytes 7/23/2010 22:23:37
VBASE013.VDF : 7.10.9.198 157696 Bytes 7/26/2010 02:36:26
VBASE014.VDF : 7.10.9.255 997888 Bytes 7/29/2010 20:32:00
VBASE015.VDF : 7.10.10.0 2048 Bytes 7/29/2010 20:32:00
VBASE016.VDF : 7.10.10.1 2048 Bytes 7/29/2010 20:32:01
VBASE017.VDF : 7.10.10.2 2048 Bytes 7/29/2010 20:32:01
VBASE018.VDF : 7.10.10.3 2048 Bytes 7/29/2010 20:32:01
VBASE019.VDF : 7.10.10.4 2048 Bytes 7/29/2010 20:32:01
VBASE020.VDF : 7.10.10.5 2048 Bytes 7/29/2010 20:32:01
VBASE021.VDF : 7.10.10.6 2048 Bytes 7/29/2010 20:32:02
VBASE022.VDF : 7.10.10.7 2048 Bytes 7/29/2010 20:32:02
VBASE023.VDF : 7.10.10.8 2048 Bytes 7/29/2010 20:32:02
VBASE024.VDF : 7.10.10.9 2048 Bytes 7/29/2010 20:32:02
VBASE025.VDF : 7.10.10.10 2048 Bytes 7/29/2010 20:32:02
VBASE026.VDF : 7.10.10.11 2048 Bytes 7/29/2010 20:32:03
VBASE027.VDF : 7.10.10.12 2048 Bytes 7/29/2010 20:32:03
VBASE028.VDF : 7.10.10.13 2048 Bytes 7/29/2010 20:32:03
VBASE029.VDF : 7.10.10.14 2048 Bytes 7/29/2010 20:32:03
VBASE030.VDF : 7.10.10.15 2048 Bytes 7/29/2010 20:32:03
VBASE031.VDF : 7.10.10.25 97280 Bytes 7/30/2010 20:32:04
Engineversion : 8.2.4.32
AEVDF.DLL : 8.1.2.1 106868 Bytes 7/31/2010 20:32:14
AESCRIPT.DLL : 8.1.3.42 1364347 Bytes 7/31/2010 20:32:14
AESCN.DLL : 8.1.6.1 127347 Bytes 5/13/2010 01:57:01
AESBX.DLL : 8.1.3.1 254324 Bytes 4/24/2010 02:57:03
AERDL.DLL : 8.1.8.2 614772 Bytes 7/24/2010 22:23:59
AEPACK.DLL : 8.2.3.3 471414 Bytes 7/31/2010 20:32:13
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 7/24/2010 22:23:54
AEHEUR.DLL : 8.1.2.10 2830711 Bytes 7/31/2010 20:32:11
AEHELP.DLL : 8.1.13.2 242039 Bytes 7/24/2010 22:23:47
AEGEN.DLL : 8.1.3.18 393589 Bytes 7/31/2010 20:32:05
AEEMU.DLL : 8.1.2.0 393588 Bytes 4/24/2010 02:57:00
AECORE.DLL : 8.1.16.2 192887 Bytes 7/24/2010 22:23:44
AEBB.DLL : 8.1.1.0 53618 Bytes 4/24/2010 02:56:59
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 20:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 20:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/19/2010 00:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 20:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 20:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 20:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 17:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 20:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 23:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 22:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 21:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 22:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Sunday, August 01, 2010 12:55

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\offlinedetectionpending
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'TrustedInstaller.exe' - '56' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '63' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '34' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '89' Module(s) have been scanned
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'vssvc.exe' - '49' Module(s) have been scanned
Scan process 'avscan.exe' - '81' Module(s) have been scanned
Scan process 'avscan.exe' - '29' Module(s) have been scanned
Scan process 'avcenter.exe' - '65' Module(s) have been scanned
Scan process 'ehmsas.exe' - '19' Module(s) have been scanned
Scan process 'ehtray.exe' - '26' Module(s) have been scanned
Scan process 'avgnt.exe' - '62' Module(s) have been scanned
Scan process 'MSASCui.exe' - '39' Module(s) have been scanned
Scan process 'Explorer.EXE' - '129' Module(s) have been scanned
Scan process 'TuneUpUtilitiesApp32.exe' - '24' Module(s) have been scanned
Scan process 'Dwm.exe' - '38' Module(s) have been scanned
Scan process 'taskeng.exe' - '78' Module(s) have been scanned
Scan process 'taskeng.exe' - '48' Module(s) have been scanned
Scan process 'WUDFHost.exe' - '33' Module(s) have been scanned
Scan process 'SDWinSec.exe' - '47' Module(s) have been scanned
Scan process 'avshadow.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '9' Module(s) have been scanned
Scan process 'TuneUpUtilitiesService32.exe' - '43' Module(s) have been scanned
Scan process 'svchost.exe' - '49' Module(s) have been scanned
Scan process 'LVPrcSrv.exe' - '23' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '33' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '32' Module(s) have been scanned
Scan process 'avguard.exe' - '65' Module(s) have been scanned
Scan process 'svchost.exe' - '59' Module(s) have been scanned
Scan process 'sched.exe' - '56' Module(s) have been scanned
Scan process 'spoolsv.exe' - '83' Module(s) have been scanned
Scan process 'rundll32.exe' - '43' Module(s) have been scanned
Scan process 'svchost.exe' - '84' Module(s) have been scanned
Scan process 'svchost.exe' - '82' Module(s) have been scanned
Scan process 'SLsvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '156' Module(s) have been scanned
Scan process 'svchost.exe' - '102' Module(s) have been scanned
Scan process 'svchost.exe' - '70' Module(s) have been scanned
Scan process 'svchost.exe' - '54' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '24' Module(s) have been scanned
Scan process 'winlogon.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'lsm.exe' - '22' Module(s) have been scanned
Scan process 'lsass.exe' - '60' Module(s) have been scanned
Scan process 'services.exe' - '33' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'wininit.exe' - '26' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1691' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Users\Grimace\AppData\Local\Mozilla\Firefox\Profiles\0oy2l2qs.default\Cache\027CBC27d01
[0] Archive type: GZ
[DETECTION] Contains HEUR/HTML.Malware suspicious code
--> unkwn
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\Users\Grimace\AppData\Local\Mozilla\Firefox\Profiles\0oy2l2qs.default\Cache\119BEC6Fd01
[0] Archive type: GZ
[DETECTION] Contains HEUR/HTML.Malware suspicious code
--> unkwn
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\Users\Grimace\AppData\Local\Mozilla\Firefox\Profiles\0oy2l2qs.default\Cache\6E9D9E61d01
[0] Archive type: GZ
[DETECTION] Contains HEUR/HTML.Malware suspicious code
--> unkwn
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\Users\Grimace\AppData\Local\Mozilla\Firefox\Profiles\0oy2l2qs.default\Cache\D0E6F06Bd01
[0] Archive type: GZ
[DETECTION] Contains HEUR/HTML.Malware suspicious code
--> unkwn
[DETECTION] Contains HEUR/HTML.Malware suspicious code

Beginning disinfection:
C:\Users\Grimace\AppData\Local\Mozilla\Firefox\Profiles\0oy2l2qs.default\Cache\D0E6F06Bd01
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The file was moved to the quarantine directory under the name '4835470d.qua'.
C:\Users\Grimace\AppData\Local\Mozilla\Firefox\Profiles\0oy2l2qs.default\Cache\6E9D9E61d01
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The file was moved to the quarantine directory under the name '50b668b7.qua'.
C:\Users\Grimace\AppData\Local\Mozilla\Firefox\Profiles\0oy2l2qs.default\Cache\119BEC6Fd01
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The file was moved to the quarantine directory under the name '02e93243.qua'.
C:\Users\Grimace\AppData\Local\Mozilla\Firefox\Profiles\0oy2l2qs.default\Cache\027CBC27d01
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The file was moved to the quarantine directory under the name '64dc7d8e.qua'.


End of the scan: Sunday, August 01, 2010 14:13
Used time: 1:14:07 Hour(s)

The scan has been done completely.

33118 Scanned directories
331609 Files were scanned
0 Viruses and/or unwanted programs were found
4 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
4 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
331605 Files not concerned
1164 Archives were scanned
0 Warnings
4 Notes
638908 Objects were scanned with rootkit scan
1 Hidden objects were found

shelf life
2010-08-02, 02:28
Avira did a scan it found 5 HEUR/HTML Malware warnings..
As long as it quarantined them, which it did.

You can remove combofix like this:
start>run and type in:
combofix /uninstall
click ok or enter
note the space after the x and before the /

You can delete the rootrepeal and MBRcheck icon from your desktop.
Keep Malwarebytes and note that the free version must be updated manually and a scan started manually.

FYI:keygens etc are very popular for carrying malware payloads.

You can make a new restore point but let me check the instructions first. The ones I have are for XP, not Vista. I will post back.

Some tips for you;

10 Tips for Reducing/Preventing Your Risk To Malware:

In no special order

1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader,iTunes etc. More and more third party applications are being targeted. Not sure if you have the latest version? Check their version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*. *There is no reason why your computer can not stay malware free.*

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing) and do it yourself.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks, then you are also much more likely to encounter malicious code in a downloaded file. Can you really trust the source of the file? Do you really need another malware source?

Longer version with pictures in link below.

Happy Safe Surfing.