Hi.

Avira AntiVir Premium reports that I continue to be automatically re-infected with TR/Crypt.XPACK.Gen2 -AND- TR/Crypt.XPACK.Gen3 -AND- TR/ATRAPS.Gen. This is similar to the problem described in this thread: TR/Crypt.XPACK.Gen2 Trojan urgent problem (http://forums.spybot.info/showthread.php?t=57784). But you make it abundantly clear that I must not follow those instructions on my own and that I should instead ask for separate instructions, which is what I'm doing now.

All the infected files are found in the C:\Windows\Temp directory and are named according to the pattern "TMPxxx.tmp". Avira reports anywhere from 4 to 20 infected files per automated startup scan every time I boot.

Avira quarantines the infected files, but several times now it's reported several more infections even while it's moving the previous infections to quarantine!

Here is an excerpt from one Avira log showing all the infections I'm seeing:

Beginning disinfection:
C:\WINDOWS\Temp\TMPE.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4e52a1fe.qua'.
C:\WINDOWS\Temp\TMP190.tmp
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '56c585e1.qua'.
C:\WINDOWS\Temp\TMP186.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '049adff8.qua'.
C:\WINDOWS\Temp\TMP184.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '62ad9038.qua'.
C:\WINDOWS\Temp\TMP180.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '2729bd00.qua'.
C:\WINDOWS\Temp\TMP16B.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '58328f60.qua'.
C:\WINDOWS\Temp\TMP169.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '148aa328.qua'.
C:\WINDOWS\Temp\TMP15F.tmp
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '6892e346.qua'.
C:\WINDOWS\Temp\TMP155.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '45c8cc09.qua'.
C:\WINDOWS\Temp\TMP153.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '5ca0f795.qua'.
C:\WINDOWS\Temp\TMP14F.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '30fcdba7.qua'.
C:\WINDOWS\Temp\TMP114.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4145e23c.qua'.
C:\WINDOWS\Temp\TMP111.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4f5fd2f9.qua'.
C:\WINDOWS\Temp\TMP10F.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '0a76abbd.qua'.
C:\WINDOWS\Temp\TMP10E.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '037daf14.qua'.
C:\WINDOWS\Temp\TMP10B.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '5b3cb663.qua'.


I read the instructions at: "BEFORE you POST" (http://forums.spybot.info/showthread.php?t=288), and here's the info you requested:

(1): I backed up the system registry using ERUNT (but then I blocked ERUNT from running every time I boot up. Is that ok?)

(2): I've attached the DDS output file as Attach.zip

(3): I will post RSIT's log file and info file in separate posts to follow, as requested.

(4): I tried to run the GMER Rootkit Scanner with the specified options turned off, but it saturated both cores of my 4 GHz dual core processor at 100% for over 30 minutes without finishing or showing any progress! I eventually felt I had to press the reset button because of this. Is that normal? If you, may I suggest you warn people about this? If it's not normal, please let me know what to do.

(5): Neither Spybot S&D nor TeaTimer is installed right now. I figured I should wait and follow your instructions on that score, too.

I'm running Windows XP Pro / SP3 on an Intel mobo and 4 GHz processor with 4 GB RAM, 2.3 GB of it available to Windows.


In closing, here is DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86
Run by mjb at 7:32:51.92 on Tue 10/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3322.2299 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Apps\Spyware Doctor\BDT\BDTUpdateService.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\dldocoms.exe
C:\Program Files\DC5\DCRServ.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Intel\Intel Desktop Utilities\iduServ.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\ofps.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Silicon Image\3132-W-R\SATARaid5ConfigService.exe
D:\Apps\Spyware Doctor\pctsAuxs.exe
D:\Apps\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Apps\Spyware Doctor\pctsTray.exe
D:\Apps\StuffIt 2009\ArcNameService.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Intel\Intel Desktop Utilities\iptray.exe
D:\Apps\SlySoft\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Dell 968 AIO Printer\dldomon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Iconoid\Iconoid.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\R-Wipe&Clean\rwiped.exe
C:\Program Files\QuicKeys\QkEngine.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
D:\Apps\PasswordsPlus\Passwords Plus\Desktop\PasswordsPlus.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\vssvc.exe
D:\Apps\Mozilla\Firefox\firefox.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
D:\Apps\Mozilla\Firefox\plugin-container.exe
C:\Program Files\Common Files\Corel\Standby\Standby.exe
C:\Documents and Settings\mjb\Desktop\ANTI-MALWARE TOOLS from SpyBot Malware Forum\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - d:\apps\techsmith snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - d:\apps\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - d:\apps\techsmith snagit 9\SnagitIEAddin.dll
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - d:\apps\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [Iconoid] "c:\program files\iconoid\Iconoid.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Adobe Reader Speed Launcher] "d:\apps\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ipTray.exe] c:\program files\intel\intel desktop utilities\iptray.exe
mRun: [VirtualCloneDrive] "d:\apps\slysoft\virtualclonedrive\VCDDaemon.exe" /s
mRun: [dldomon.exe] c:\program files\dell 968 aio printer\dldomon.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [ISTray] "d:\apps\spyware doctor\pctsTray.exe"
mRun: [ISUSScheduler] c:\program files\common files\installshield\updateservice\issch.exe -start
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\mjb\startm~1\programs\startup\erunt autobackup.lnk - c:\program files\erunt registry backup\AUTOBACK.EXE
StartupFolder: c:\docume~1\mjb\startm~1\programs\startup\quickeys engine.lnk - c:\program files\quickeys\QkEngine.exe
uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 01000000
mPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: E&xport to Microsoft Excel - d:\apps\micros~1\office~1\office12\EXCEL.EXE/3000
IE: Open with ScanSoft PDF Converter 4.1 - d:\apps\nuance-scansoft\pdf professional 4.0\cnvres_eng.dll /100
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\apps\micros~1\office~1\office12\ONBttnIE.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\apps\micros~1\office~1\office12\REFIEBAR.DLL
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3B89785B-4E94-400A-8705-5841B14063A7} - hxxp://www.arcsoft.com/data/SimHDAss.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213325852156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mjb\applic~1\mozilla\firefox\profiles\26rgi5i4.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\{6ff1d3c4-61bc-4021-89b7-af8a8f784ebb}\components\snagitmozextension.dll
FF - component: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\paypal\paypal plug-in\components\PayPalPlugin.dll
FF - plugin: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\mjb\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\vlc\npvlc.dll
FF - plugin: d:\apps\adobe\reader 9.0\reader\browser\nppdf32.dll
FF - plugin: d:\apps\misc\real alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\apps\misc\real alternative\browser\plugins\nprpjplug.dll
FF - plugin: d:\apps\mozilla\firefox\plugins\npwachk.dll
FF - plugin: d:\apps\opera\program\plugins\np_gp.dll
FF - plugin: d:\apps\opera\program\plugins\np32asw.dll
FF - plugin: d:\apps\opera\program\plugins\np32asw.dll
FF - plugin: d:\apps\opera\program\plugins\npdivx32.dll
FF - plugin: d:\apps\opera\program\plugins\npdsplay.dll
FF - plugin: d:\apps\opera\program\plugins\NPOFF12.DLL
FF - plugin: d:\apps\opera\program\plugins\NPOFF12.DLL
FF - plugin: d:\apps\opera\program\plugins\npqtplugin.dll
FF - plugin: d:\apps\opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\apps\opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\apps\opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\apps\opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\apps\opera\program\plugins\npqtplugin6.dll
FF - plugin: d:\apps\opera\program\plugins\npqtplugin7.dll
FF - plugin: d:\apps\opera\program\plugins\NPSWF32.dll
FF - plugin: d:\apps\opera\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\apps\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\apps\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\apps\mozilla\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\apps\mozilla\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\apps\mozilla\firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\apps\mozilla\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\apps\mozilla\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\apps\mozilla\firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\apps\mozilla\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\apps\mozilla\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\apps\mozilla\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 DCR;DCR;c:\windows\system32\drivers\DCR.sys [2010-1-22 294408]
R0 DCVP;DCVP;c:\windows\system32\drivers\DCVP.sys [2010-1-22 19624]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-9-14 28552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-29 218592]
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2009-12-30 89728]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-9-16 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2009-8-12 95592]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-12-20 528128]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-9-16 337064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-16 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-16 267432]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\astra32\astra32.sys [2007-2-22 30864]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-16 60936]
R2 Browser Defender Update Service;Browser Defender Update Service;d:\apps\spyware doctor\bdt\BDTUpdateService.exe [2009-12-4 112592]
R2 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2008-12-18 316416]
R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
R2 DriveCryptService;DriveCrypt Service;c:\program files\dc5\DCRServ.exe [2010-1-22 96680]
R2 IduService;Intel(R) Desktop Utilities Service;c:\program files\intel\intel desktop utilities\iduServ.exe [2009-1-22 124928]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-12-23 711352]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-12-23 711352]
R2 JCPacket;FLDP Packet Driver;c:\windows\system32\drivers\jcpacket.sys [2002-5-26 10880]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-7-12 10448]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-1 34064]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 SATARaid5 Config Service;SATARaid5 Configuration Service;c:\program files\silicon image\3132-w-r\SATARaid5ConfigService.exe [2005-10-5 131072]
R2 sdAuxService;PC Tools Auxiliary Service;d:\apps\spyware doctor\pctsAuxs.exe [2008-7-5 366840]
R2 sdCoreService;PC Tools Security Service;d:\apps\spyware doctor\pctsSvc.exe [2008-7-5 1142224]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2009-5-29 66944]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-6-12 2514944]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-6-14 114952]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-3-9 38304]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2008-6-20 252440]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-2-5 1691480]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 DYUSB;DYMO DiscPainter USB Status Monitor Driver;c:\windows\system32\drivers\dyusb.sys [2007-10-22 35200]
S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2009-1-22 17920]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2009-8-27 320384]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2007-7-27 14336]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-1-22 27064]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra professional home xii.sp2c\RpcAgentSrv.exe [2009-4-13 98488]
S4 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-9-16 405672]
S4 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [2009-10-9 99568]
S4 OS Selector;Acronis OS Selector activator;c:\program files\acronis\diskdirector\oss\reinstall_svc.exe [2010-5-25 2139400]

============== File Associations ===============

cmdfile="\"%1\" %*"
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.txt=UltraEdit.txt

=============== Created Last 30 ================

2010-10-05 11:31:21 0 d-----w- c:\program files\ERUNT Registry Backup
2010-10-05 10:36:22 0 d-----w- c:\docume~1\mjb\applic~1\Malwarebytes
2010-10-05 10:36:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-05 10:36:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-05 10:36:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-05 10:36:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-16 11:39:05 0 d-----w- c:\docume~1\mjb\applic~1\Avira
2010-09-16 11:19:43 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-09-16 11:19:42 0 d-----w- c:\program files\Avira
2010-09-16 11:19:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-09-14 08:49:43 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-09-14 08:49:22 0 d-----w- c:\program files\Panda Security
2010-09-07 11:48:04 0 d-----w- c:\program files\Iconoid
2010-09-07 09:31:28 0 d-----w- c:\docume~1\mjb\applic~1\KC Softwares
2010-09-07 09:30:08 0 d-----w- c:\program files\SUMo - Software Update Monitor

==================== Find3M ====================

2010-10-05 09:57:37 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-08-28 07:54:09 10022 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-12 04:07:46 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-08-12 04:07:46 133616 ------w- c:\windows\system32\pxafs.dll
2010-08-12 04:07:46 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-08-12 04:07:46 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-08-06 06:14:57 1996 ----a-w- C:\copype.cmd
2010-08-02 11:48:33 8 --sh--r- c:\docume~1\alluse~1\applic~1\6904553153.sys
2010-08-02 11:48:33 8 --sh--r- c:\docume~1\alluse~1\applic~1\1B750485A4.sys
2010-07-26 14:13:40 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-21 03:03:12 767928 ----a-w- c:\windows\BDTSupport.dll
2010-07-21 01:22:46 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-17 08:56:14 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-07-17 08:56:12 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-07-09 22:57:47 3663 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2010-07-09 22:56:12 1085616 ----a-w- c:\windows\system32\SpoonUninstall.exe
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 7:33:37.01 ===============

Sorry, tashi for getting ahead of myself with those two logs you deleted. Clearly I was confused, since the FAQ I said I read clearly didn't request that I post them. Please forgive me.

Also, although I have some P2P software installed, I've never actually completed any transfers with them. I'll be happy to uninstall them if you like.

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent
BitComet FLV Converter
BitTorrent


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


After that:

Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif). Post back its report + fresh dds.txt log.

Thank you for your reply, Blade81.

I was happy to uninstall those programs you requested, but note that as I informed Tashi above, I'd never actually completed any transfer using them.

Here is the Kaspersky Online Scan Report (in blue):

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, October 13, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, October 12, 2010 08:47:44
Records in database: 4202236
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Q:\
R:\
Y:\

Scan statistics:
Objects scanned: 752503
Threats found: 3
Infected objects found: 0
Suspicious objects found: 3
Scan duration: 17:41:25


File name / Threat / Threats count
C:\Documents and Settings\mjb\Application Data\Thunderbird\Profiles\nd01ohcg.default\Mail\mail.comcast-1.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\mjb\Application Data\Thunderbird\Profiles\nd01ohcg.default\Mail\mail.comcast.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\mjb\Application Data\Thunderbird\Profiles\nd01ohcg.default\Mail\mail.comcast.net\Sent Suspicious: Trojan-Spy.HTML.Fraud.gen 1

Selected area has been scanned.

It is my opinion that the Kaspersky Online Scan completely missed the actual infections I reported in my OP. The evidence points away from all those infections reported by Avira Premium being false positives, since those reported files actually were multiplying like crazy. I absolutely do not trust that I'm infection-free except for those infected emails, as the Kaspersky scan claims.

Here is the dds.txt file:


DDS (Ver_10-03-17.01) - NTFSx86
Run by mjb at 4:30:27.64 on Wed 10/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3322.2292 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Apps\Spyware Doctor\BDT\BDTUpdateService.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\dldocoms.exe
C:\Program Files\DC5\DCRServ.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Intel\Intel Desktop Utilities\iduServ.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\ofps.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Silicon Image\3132-W-R\SATARaid5ConfigService.exe
D:\Apps\Spyware Doctor\pctsAuxs.exe
D:\Apps\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Apps\Spyware Doctor\pctsTray.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Intel\Intel Desktop Utilities\iptray.exe
D:\Apps\SlySoft\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Dell 968 AIO Printer\dldomon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Iconoid\Iconoid.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\R-Wipe&Clean\rwiped.exe
C:\Program Files\QuicKeys\QkEngine.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Apps\Mozilla\Thunderbird\thunderbird.exe
C:\Documents and Settings\mjb\Desktop\ANTI-MALWARE TOOLS from SpyBot Malware Forum\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - d:\apps\techsmith snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - d:\apps\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - d:\apps\techsmith snagit 9\SnagitIEAddin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - d:\apps\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [Iconoid] "c:\program files\iconoid\Iconoid.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Adobe Reader Speed Launcher] "d:\apps\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ipTray.exe] c:\program files\intel\intel desktop utilities\iptray.exe
mRun: [VirtualCloneDrive] "d:\apps\slysoft\virtualclonedrive\VCDDaemon.exe" /s
mRun: [dldomon.exe] c:\program files\dell 968 aio printer\dldomon.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [ISTray] "d:\apps\spyware doctor\pctsTray.exe"
mRun: [ISUSScheduler] c:\program files\common files\installshield\updateservice\issch.exe -start
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\mjb\startm~1\programs\startup\quickeys engine.lnk - c:\program files\quickeys\QkEngine.exe
uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 01000000
mPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: E&xport to Microsoft Excel - d:\apps\micros~1\office~1\office12\EXCEL.EXE/3000
IE: Open with ScanSoft PDF Converter 4.1 - d:\apps\nuance-scansoft\pdf professional 4.0\cnvres_eng.dll /100
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\apps\micros~1\office~1\office12\ONBttnIE.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\apps\micros~1\office~1\office12\REFIEBAR.DLL
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3B89785B-4E94-400A-8705-5841B14063A7} - hxxp://www.arcsoft.com/data/SimHDAss.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213325852156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mjb\applic~1\mozilla\firefox\profiles\26rgi5i4.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\{6ff1d3c4-61bc-4021-89b7-af8a8f784ebb}\components\snagitmozextension.dll
FF - component: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\paypal\paypal plug-in\components\PayPalPlugin.dll
FF - plugin: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\vlc\npvlc.dll
FF - plugin: d:\apps\adobe\reader 9.0\reader\browser\nppdf32.dll
FF - plugin: d:\apps\misc\real alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\apps\misc\real alternative\browser\plugins\nprpjplug.dll
FF - plugin: d:\apps\mozilla\firefox\plugins\npwachk.dll
FF - plugin: d:\apps\opera\program\plugins\np_gp.dll
FF - plugin: d:\apps\opera\program\plugins\np32asw.dll
FF - plugin: d:\apps\opera\program\plugins\np32asw.dll
FF - plugin: d:\apps\opera\program\plugins\npdivx32.dll
FF - plugin: d:\apps\opera\program\plugins\npdivx32.dll
FF - plugin: d:\apps\opera\program\plugins\npdsplay.dll
FF - plugin: d:\apps\opera\program\plugins\NPOFF12.DLL
FF - plugin: d:\apps\opera\program\plugins\NPOFF12.DLL
FF - plugin: d:\apps\opera\program\plugins\npqtplugin.dll
FF - plugin: d:\apps\opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\apps\opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\apps\opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\apps\opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\apps\opera\program\plugins\npqtplugin6.dll
FF - plugin: d:\apps\opera\program\plugins\npqtplugin7.dll
FF - plugin: d:\apps\opera\program\plugins\NPSWF32.dll
FF - plugin: d:\apps\opera\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\apps\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\apps\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\apps\mozilla\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\apps\mozilla\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\apps\mozilla\firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\apps\mozilla\firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\apps\mozilla\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\apps\mozilla\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\apps\mozilla\firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\apps\mozilla\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\apps\mozilla\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\apps\mozilla\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 DCR;DCR;c:\windows\system32\drivers\DCR.sys [2010-1-22 294408]
R0 DCVP;DCVP;c:\windows\system32\drivers\DCVP.sys [2010-1-22 19624]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-9-14 28552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-29 218592]
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2009-12-30 89728]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-9-16 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2009-8-12 95592]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-12-20 528128]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-9-16 337064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-16 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-16 267432]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\astra32\astra32.sys [2007-2-22 30864]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-16 60936]
R2 Browser Defender Update Service;Browser Defender Update Service;d:\apps\spyware doctor\bdt\BDTUpdateService.exe [2009-12-4 112592]
R2 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2008-12-18 316416]
R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
R2 DriveCryptService;DriveCrypt Service;c:\program files\dc5\DCRServ.exe [2010-1-22 96680]
R2 IduService;Intel(R) Desktop Utilities Service;c:\program files\intel\intel desktop utilities\iduServ.exe [2009-1-22 124928]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-12-23 711352]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-12-23 711352]
R2 JCPacket;FLDP Packet Driver;c:\windows\system32\drivers\jcpacket.sys [2002-5-26 10880]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-7-12 10448]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-1 34064]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 SATARaid5 Config Service;SATARaid5 Configuration Service;c:\program files\silicon image\3132-w-r\SATARaid5ConfigService.exe [2005-10-5 131072]
R2 sdAuxService;PC Tools Auxiliary Service;d:\apps\spyware doctor\pctsAuxs.exe [2008-7-5 366840]
R2 sdCoreService;PC Tools Security Service;d:\apps\spyware doctor\pctsSvc.exe [2008-7-5 1142224]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2009-5-29 66944]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-6-12 2514944]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-6-14 114952]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-3-9 38304]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2008-6-20 252440]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-2-5 1691480]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 DYUSB;DYMO DiscPainter USB Status Monitor Driver;c:\windows\system32\drivers\dyusb.sys [2007-10-22 35200]
S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2009-1-22 17920]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2009-8-27 320384]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2007-7-27 14336]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-1-22 27064]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra professional home xii.sp2c\RpcAgentSrv.exe [2009-4-13 98488]
S4 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-9-16 405672]
S4 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [2009-10-9 99568]
S4 OS Selector;Acronis OS Selector activator;c:\program files\acronis\diskdirector\oss\reinstall_svc.exe [2010-5-25 2139400]

============== File Associations ===============

cmdfile="\"%1\" %*"
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.txt=UltraEdit.txt

=============== Created Last 30 ================

2010-10-05 12:00:04 0 d-----w- c:\program files\trend micro
2010-10-05 11:31:21 0 d-----w- c:\program files\ERUNT Registry Backup
2010-10-05 10:36:22 0 d-----w- c:\docume~1\mjb\applic~1\Malwarebytes
2010-10-05 10:36:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-05 10:36:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-05 10:36:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-05 10:36:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-16 11:39:05 0 d-----w- c:\docume~1\mjb\applic~1\Avira
2010-09-16 11:19:43 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-09-16 11:19:42 0 d-----w- c:\program files\Avira
2010-09-16 11:19:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-09-14 08:49:43 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-09-14 08:49:22 0 d-----w- c:\program files\Panda Security

==================== Find3M ====================

2010-10-12 11:33:41 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-10-09 15:10:00 10022 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-12 04:07:46 133616 ------w- c:\windows\system32\pxafs.dll
2010-08-12 04:07:46 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-08-12 04:07:46 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-08-06 06:14:57 1996 ----a-w- C:\copype.cmd
2010-08-02 11:48:33 8 --sh--r- c:\docume~1\alluse~1\applic~1\6904553153.sys
2010-08-02 11:48:33 8 --sh--r- c:\docume~1\alluse~1\applic~1\1B750485A4.sys
2010-07-26 14:13:40 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-21 03:03:12 767928 ----a-w- c:\windows\BDTSupport.dll
2010-07-21 01:22:46 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-17 08:56:14 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-07-17 08:56:12 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 4:31:30.55 ===============


NOTE: I disabled Avira Premium during the Kaspersky Scan as suggested. The DDS.txt file shows it active because I re-enabled it after the scan.

As I feared, Avira is reporting the same infections again. Here are the two most recent infections reported:

Begin scan in 'C:\WINDOWS\Temp\TMPC.tmp'
C:\WINDOWS\Temp\TMPC.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] A backup was created as '4fb20e67.qua' ( QUARANTINE )
[NOTE] The file was moved to the quarantine directory under the name '572521d8.qua'.
Begin scan in 'C:\WINDOWS\Temp\TMPF.tmp'
C:\WINDOWS\Temp\TMPF.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] A backup was created as '057a7458.qua' ( QUARANTINE )

What will happen now is that each time I ask Avira Premium to remove those infections, still more will appear...

Hi,

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Upload these files to http://www.virustotal.com and post back the results or links to those:
C:\Documents and Settings\All users\application data\6904553153.sys
C:\Documents and Settings\All users\application data\1B750485A4.sys


Update MBAM and run a full scan with it. Let it remove its findings. Post back the report.

How have you set Antivir heuristics settings?

OK, the VirusTotal scans reported no infections of those two files you specified. I've attached a zip file containing the HTML-only reports.

mbam also reported no infections. Here'e the report:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4820

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/14/2010 10:53:45 AM
mbam-log-2010-10-14 (10-53-45).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 750348
Time elapsed: 2 hour(s), 58 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

However, Avira reported more new infections exactly like the others.

As far as Avira's heuristic level, both the Scanner and the Guard have these settings:

Macrovirus heuristic - Enabled
Advanced Heuristic Analysis and Detection - Enabled, Medium detection level.

Thanks for sticking with me!

Sorry, here's that zip file...

Hi,

Nothing appearing in those logs and since it seems to be only Antivir alerting I suspect it could be a false alarm. Have you updated Antivir definitions recently?

First, yes, I've updated the definitions, including just an hour ago.

As for this being a false positive, I uploaded an infected file to VirusTotal, and along with Avira, McAfee-GW-Edition reported it to be infected with this name (I've attached the report HTML file to this post):

Heuristic.LooksLike.Win32.Suspicious.J!86

When I looked that up with Google, it found several pages describing it. Two of the English pages are as follows:

W32/VBTroj (http://bugbopper.com/MalwareInfo/Name/other/W32_VBTroj.asp)

Xandor Report (http://report.xandora.net/2010/09/file-analyzer-d1899bb4430b8ba73ded3ebcfb1da99d22bfe766/)

I think one likely reason that the other scanners you asked me to run missed this because they probably didn't scan .tmp files. But I realize that something else on my computer would have to be infected and it is that which must be creating the .tmp files, and it is that infection that we are searching primarily for, correct?

My guess is that the .tmp files are being created by this other infection as the first step in compromising my system, and the next step must be renaming or copying it to some form of executable. Because otherwise, I don't see how a .tmp file could cause damage as long as it is still named xxx.tmp.

But again, my opinion is that these are not false positives because they multiply very fast every time Avira tries to move them into quarantine. Surely something is infected.

Thanks again for sticking with me, Blade81!

Hmmm... I guess I can't attach an html file. This time, I've zipped it first...

Probable breakthrough:

It finally dawned on me to examine the infected file more closely. When I looked at the file properties, the Version tab reported the file to be the application "Enosoft DV Processor"! How weird!

I have that app installed, but it's certainly not in my startup list! I have a tool that displays the entire startup list including "hidden" startups (I'll attach a screenshot if you wish), but it's just not there. How it keeps ending up as a .tmp file in C:\WINDOWS\Temp and was replicating itself up to 26 times per scan is very bizarre!

What I'll do now is use Revo Pro to uninstall the Enosft DV Processor and all traces completely, and see if the infections stop. I'll report back on this.

Well, I uninstalled the Enosoft DV Processor and rebooted, but the infections remain.

So I looked around in the C:\Windows\Temp folder and found several other infected files that, when the file properties->Version tab is examined, they were also revealed as application files with .tmp extensions. There are many identical files which are .tmp copies of "Adobe Updater" and the "A43 File Management Utility".

When I look at the installed app list in Revo Uninstaller Pro and add/remove programs, neither appear by those names (i.e., they don't appear to be installed on that computer, at least according to those names). I've attached a zip file containing a text file showing details about all the Adobe applications installed on that computer.

Obviously, there is a very real and very dangerous infection! These are definitely not the result of false positives.

I'm more worried now than ever!

Hi,

Disable Antivir for the following operation.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Does Antivir still alert after that operation?

Those actions made no difference; all the symptoms remain unchanged. Surely you didn't expect things to be that easy in such a complex case. By the way, I already had a task that empties all the temp directories and browser cache and the like every shutdown.

This is clearly a very sophisticated piece of malware, and it's been quite some time since I've been able to use the infected computer safely. I've noticed that several other malware removal threads seem to show more aggressive actions and more than one step at a time. May I respectfully ask if you would please try to provide more than one step per iteration when possible? Perhaps some of your colleagues might throw in ideas, too?

I'm an experienced user, so if you want me to do some registry editing or follow other more complex instructions, just ask.

Thanks!

Hi,

I've asked some of my colleagues for their opinions and they also think Antivir may be barking a wrong tree there. Let's think about situation where Antivir is flagging some update and quarantines related file. Update is tried again causing Antivir flag item again.

Please upload some of those files that Antivir is alerting about to this website (http://www.bleepingcomputer.com/submit-malware.php?channel=76). Kindly include a link to this topic in the message.

Hi,

I got the file you sent. Seems to be ok. There's a similar topic at Avira forum (http://forum.avira.com/wbb/index.php?page=Thread&threadID=120446). I recommend you create a topic and ask there what's causing those alerts.

Hi,

I've asked some of my colleagues for their opinions and they also think Antivir may be barking a wrong tree there. Let's think about situation where Antivir is flagging some update and quarantines related file. Update is tried again causing Antivir flag item again.

Thank you very kindly for that. However, I'm afraid I don't follow you. What kind of "update" are you referring to there? An update to some application? Or an anti-malware update?

Let me explain: Ever since I posted my OP in this thread, the only time I allow any updates at all on the infected computer -- in fact the only time I connect the problem computer to the Internet or any other network -- is to either update malware definitions, download a new malware tool, or upload an infected file to one of the sites you requested. Even then, I only connect just barely long enough to perform that specific task, whereupon I disconnect immediately, either by disconnecting the cable or disabling Internet access with ZoneAlarm Pro (and I don't connect flash drives or floppies or other media, either). I post these messages from a different computer that's not infected.

Therefore, there is absolutely no chance that any applications are being updated: Not any Adobe products, not the A43 File Management Utility (which is a DOS app that has been out of production for years), and certainly not the Ensoft DV processor, even though they are the most common files to end up infected and named xxx.tmp in the C:\Windows\Temp directory.

I understand perfectly well that false positive malware reports are not particularly rare. But I can conceive of no false positive scenario in which a non-networked computer ends up with as many as 25 copies of the exact same application -- either Adobe Updater, A43 File Utility, or Enosoft DV Processor -- renamed xxx.tmp in the Windows Temp directory, infected or otherwise! Why does this happen to no other apps? Why so many exact copies of the same 3 files?

What possible false positive scenario can logically explain all that? I was a systems programmer for many years, and I certainly can't think of one.

Recall that the Windows Temp directory is completely erased every boot, and I don't have to do anything -- I launch no application or control panel or anything else -- before Avira reports these bizarre files are infected.

Recall that VirusTotal ALSO reported these files to be infected, and also recall that Avira has reported four different infections of .tmp files in the same directory (see my OP):


TR/Crypt.XPACK.Gen2 Trojan
TR/Crypt.XPACK.Gen3 Trojan
TR/ATRAPS.Gen Trojan
TR/Dropper.Gen Trojan


It seems to me that the most logical explanation is that my computer is infected with some new piece of malware, as opposed to a false positive. They have to be seen first by someone before anti-malware tools can design a tool to detect and counteract them, right?



Please upload some of those files that Antivir is alerting about to this website (http://www.bleepingcomputer.com/submit-malware.php?channel=76). Kindly include a link to this topic in the message.

I have done so, but I strongly feel that is entirely pointless! It clearly is not the infected .tmp files that are the main issue: It is whatever is creating those .tmp files that's the REAL infection!

Thank you for all your efforts so far!

Please take a look at the Avira forum topic linked in my previous post.

Well, first things first: Thank you, Blade81, for your time and assistance. It was very kind of you to donate your time and expertise to helping out some stranger!

That being said and truly meant, I can't say I'm comfortable with the result. Yes, Avira and many Avira users undeniably assert that these reports were false positives, and as such, the evidence is overwhelmingly against me. There's no way I can prove otherwise.

But unlike the other Avira users, who say that Avira was the only anti-malware tool to report these infections, I found that three independent tools agreed that at least one of my four different infections were genuine (Avira, VirusTotal, and Vipre-Rescue). Furthermore, I simply cannot wrap my mind around the concept that the creation of as many as about 100 identical copies of three and only three very weird applications named "Temp<xxx>.tmp" is a perfectly normal, everyday occurrence that I should just blithely ignore for peace of mind.

And now, after my first full day with the quasi-infected computer online, 3 separate times now this computer has hung up and needed to be restarted.

Yes, that really could all be coincidence. And no, I have no concrete evidence otherwise. As such, it would be unjust of me to ask for more of your time, unless and until I have something concrete, so I will simply wish you well and thank you most sincerely once more.

:thanks:

You're welcome :)

If this issue still puzzles your mind I recommend to create a topic at Avira forum (http://forum.avira.com/wbb/index.php).

Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.