PDA

View Full Version : AVG keeps finding news instances of... something



kenny5277
2011-11-01, 13:45
A0105378.exe is the file that AVG keeps finding and ultimately quarantining. But it's come up 3 or 4 times in the last day.

Many thanks in advance!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by moe at 12:31:17 on 2011-11-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.349 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Documents and Settings\moe\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://mail.google.com/mail/?source=navclient-ff&shva=1#inbox
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Page_URL = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\moe\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [pamela.exe] "c:\program files\pamela\Pamela.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\moe\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\moe\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\moe\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\support
Trusted Zone: speedtest.net\www
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1310704740187
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{437F6C09-69C6-43A2-96BA-F21E51DDE9BA} : DhcpNameServer = 192.168.2.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-8-28 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 229840]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-12 5265248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 hshld;Hotspot Shield Service;c:\program files\hotspot shield\bin\openvpnas.exe [2011-10-6 288088]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2152152]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-15 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 16720]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-21 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-7-21 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-10-25 13:05:55 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-24 17:59:58 -------- d--h--w- C:\$AVG
2011-10-24 10:09:21 -------- d-----w- c:\documents and settings\moe\application data\AVG2012
2011-10-24 10:07:25 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-10-21 00:46:53 -------- d-----w- c:\program files\AVIcodec
2011-10-21 00:38:03 -------- d-----w- c:\documents and settings\moe\application data\DDMSettings
2011-10-17 15:33:56 -------- d-----w- c:\windows\pss
2011-10-12 18:51:12 -------- d-----w- c:\program files\common files\xing shared
.
==================== Find3M ====================
.
2011-11-01 09:48:49 172544 ----a-w- c:\windows\system32\RemoteControl.dll
2011-10-31 10:37:55 44544 ----a-w- c:\windows\system32\agremove.exe
2011-09-26 09:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 09:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 04:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-28 21:01:49 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-08-28 21:01:49 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ------w- c:\windows\system32\html.iec
2011-08-18 13:25:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 12:32:33.25 ===============

jeffce
2011-11-01, 14:26
Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

The fixes are specific to your problem and should only be used for the issues on this machine.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Having said that....Let's get going!! :thumbup:
----------

GMER

Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and attach it in your reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
----------

kenny5277
2011-11-01, 23:07
Thanks Jeff for taking on my case.

(Incidentally, "show all" is unchecked by default, yes? I left it unchecked.)

kenny5277
2011-11-02, 00:30
BTW, my machine was just performing very slowly. Extremely slowly. So I checked the task manager and noticed that the CPU was working at a consistent 40-60% but the idle process was close to 99%, and there was very little activity from any other processes in the list. (is this indicative of a rootkit?)

Anyway, I just wanted to update the thread since this is new since my last post.

jeffce
2011-11-02, 01:10
Hi Kenny5277,

I see that you have both AVG and Lavasoft antivirus programs running at the same time. Having more than one antivirus program actively running at the same time can seriously degrade the performance of your computer. Please uninstall either AVG or Lavasoft using Add/Remove Programs.
------------

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------

kenny5277
2011-11-02, 03:18
I didn't realize that when I installed Ad-Aware, that there was also an antivirus component (or I guess I assumed Ad-watch was somehow distinct). I believe I've deactivated Ad-watch. Should I uninstall Ad-Aware?

ComboFix.txt attached.

jeffce
2011-11-02, 13:41
Hi Kenny5277

It isn't necessary to uninstall Ad-aware but just be sure that the real-time antivirus scanner is not on if you are going to use AVG. Just as an option you could use the Ad-aware antivirus and remove AVG completely and then there would be no chance of conflicts. If you choose to remove AVG let me know because there is a special tool we can use to remove it completely as AVG many times will leave a lot of extras on a computer.
----------

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click VirusTotal (www.virustotal.com)

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

c:\windows\system32\rpcnetp.exe

scroll down a bit and click "send file", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Right-click and Run as Administrator SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
*sfcfiles.dll


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
----------

In your next reply please post the logs created by VirusTotal and SystemLook. :)

kenny5277
2011-11-02, 14:06
Jeff, looking at the VirusTotal page I don't see a field where I can copy and paste the file address. I only see a "choose file" button which opens windows explorer. But when I look in the location for the file you mention it's not there.

Am I missing something obvious here?

kenny5277
2011-11-02, 15:13
Another question. With regard to SystemLook, and running as an administrator. From the right-click menu, I click "run as" and then a window pops up giving me the option to run on my account (Moe), another unused account (Korby), or as "Administrator" which is password protected. I've always just used Moe for everything which I believe has full admin rights. I actually didn't know there was another account called "Administrator". (It's not present on the log on screen).

The point is, "Administrator" is passworded and I don't know what the password is. Can I run it on my account if it has admin privileges?

jeffce
2011-11-02, 15:58
Hi,

Don't worry about the VirusTotal instructions for now. :) We can come back to that if need be.
---------

In regards to SystemLook please just double click to run it. That was my fault as I put the instructions for a Vista/7 system down instead of Windows XP.

kenny5277
2011-11-02, 17:20
:) ok.

.....

jeffce
2011-11-02, 22:17
Hi Kenny,



Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


DDS::
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
Trusted Zone: microsoft.com\support
Trusted Zone: speedtest.net\www

Driver::
rpcnetp


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

kenny5277
2011-11-03, 12:51
Here it is.

jeffce
2011-11-03, 13:40
Hi Kenny,

I see that you have Malwarebytes on your computer. Please open Malwarebytes, update it and then run a Quick Scan. There will a log produced that I will need for you to post into your next reply.
-------------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the Start button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the Back button.
Push Finish

http://www.eset.com/onlinescan/
----------

In your next reply please post the logs created by Malwarebytes and ESET online scan. :)

kenny5277
2011-11-03, 23:35
Here it is.

jeffce
2011-11-04, 00:24
Hi Kenny,



Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


File::
C:\Documents and Settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\31\37145c9f-67417955
C:\Documents and Settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\44\34a5c4ec-1d3b6de6
C:\Documents and Settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\63\3c290e7f-6ef1b628
C:\Documents and Settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\7\4432bf07-6b7c2d84
C:\Documents and Settings\moe\My Documents\Downloads\cnet_DM-244_exe.exe
C:\Documents and Settings\moe\My Documents\Downloads\MoviePlayerSetup.exe

Folder::
C:\Documents and Settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\31\37145c9f-67417955
C:\Documents and Settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\44\34a5c4ec-1d3b6de6
C:\Documents and Settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\63\3c290e7f-6ef1b628
C:\Documents and Settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\7\4432bf07-6b7c2d84

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

kenny5277
2011-11-04, 01:30
ComboFix 11-11-03.05 - moe 11/04/2011 0:07.3.2 - x86
Running from: c:\documents and settings\moe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\moe\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
FILE ::
"c:\documents and settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\31\37145c9f-67417955"
"c:\documents and settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\44\34a5c4ec-1d3b6de6"
"c:\documents and settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\63\3c290e7f-6ef1b628"
"c:\documents and settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\7\4432bf07-6b7c2d84"
"c:\documents and settings\moe\My Documents\Downloads\cnet_DM-244_exe.exe"
"c:\documents and settings\moe\My Documents\Downloads\MoviePlayerSetup.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\31\37145c9f-67417955
c:\documents and settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\44\34a5c4ec-1d3b6de6
c:\documents and settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\63\3c290e7f-6ef1b628
c:\documents and settings\moe\Application Data\Sun\Java\Deployment\cache\6.0\7\4432bf07-6b7c2d84
c:\documents and settings\moe\My Documents\Downloads\cnet_DM-244_exe.exe
c:\documents and settings\moe\My Documents\Downloads\MoviePlayerSetup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-03 to 2011-11-03 )))))))))))))))))))))))))))))))
.
.
2011-11-03 12:18 . 2011-11-03 12:18 -------- d-----w- c:\program files\ESET
2011-11-01 11:25 . 2011-11-01 11:26 -------- d-----w- c:\program files\ERUNT
2011-10-25 13:05 . 2011-11-03 21:31 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-24 17:59 . 2011-10-24 17:59 -------- d-----w- C:\$AVG
2011-10-24 10:09 . 2011-10-24 10:09 -------- d-----w- c:\documents and settings\moe\Application Data\AVG2012
2011-10-24 10:07 . 2011-10-24 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-10-21 00:46 . 2011-10-21 00:46 -------- d-----w- c:\program files\AVIcodec
2011-10-21 00:38 . 2011-10-21 00:38 -------- d-----w- c:\documents and settings\moe\Application Data\DDMSettings
2011-10-17 16:36 . 2011-10-17 16:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-10-13 05:01 . 2011-10-13 05:01 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2011-10-12 18:51 . 2011-10-12 18:51 -------- d-----w- c:\program files\Common Files\xing shared
2011-10-12 18:50 . 2011-10-12 18:51 -------- d-----w- c:\program files\Real
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-02 19:55 . 2011-09-25 13:12 44544 ----a-w- c:\windows\system32\agremove.exe
2011-11-01 09:48 . 2011-08-23 21:19 172544 ----a-w- c:\windows\system32\RemoteControl.dll
2011-09-26 09:41 . 2008-12-22 17:48 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 09:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41 . 2008-12-22 17:48 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 04:30 . 2011-03-16 22:03 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12 . 2008-04-14 11:41 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2008-04-14 07:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 15:00 . 2011-08-28 21:25 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-28 21:01 . 2011-08-28 21:16 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-08-28 21:01 . 2011-08-28 21:01 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-22 23:48 . 2008-12-22 18:03 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-12-22 18:03 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2008-12-22 18:02 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2008-12-22 18:02 385024 ------w- c:\windows\system32\html.iec
2011-08-18 13:25 . 2011-08-28 20:58 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-17 13:49 . 2008-04-14 06:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-08 04:08 . 2011-03-01 20:25 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-12-22 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-11-02_00.35.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-02 23:05 . 2011-11-02 23:05 442368 c:\windows\ERDNT\AutoBackup\11-3-2011\Users\00000002\UsrClass.dat
+ 2011-11-02 23:05 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\11-3-2011\ERDNT.EXE
+ 2011-11-02 23:04 . 2011-11-02 23:05 17780736 c:\windows\ERDNT\AutoBackup\11-3-2011\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"pamela.exe"="c:\program files\Pamela\Pamela.exe" [2011-11-01 11909120]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 2595480]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 905056]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 140568]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-09-23 2404704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-10-12 273528]
.
c:\documents and settings\moe\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\moe\Application Data\Dropbox\bin\Dropbox.exe [2011-7-20 24176560]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2011-7-21 114688]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-10-12 18:50 273528 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\moe\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\moe\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:Windows Remote Management
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 3:13 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 11:03 PM 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/28/2011 9:58 PM 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 1:41 PM 229840]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 7:59 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [10/6/2011 1:21 AM 288088]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/15/2011 4:28 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 2:53 PM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 2:53 PM 16720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 8:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2011 2:19 AM 136176]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [9/12/2011 5:23 AM 5265248]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2011 2:19 AM 136176]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/18/2011 2:25 PM 2152152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/18/2011 2:25 PM 15232]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 12:42 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 8:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-08-18 21:02]
.
2011-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-21 01:19]
.
2011-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-21 01:19]
.
2011-11-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-842925246-1801674531-1004Core.job
- c:\documents and settings\moe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-15 03:49]
.
2011-11-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-842925246-1801674531-1004UA.job
- c:\documents and settings\moe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-15 03:49]
.
2011-11-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-842925246-1801674531-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 11:40]
.
2011-11-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-842925246-1801674531-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 11:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.google.com/mail/?source=navclient-ff&shva=1#inbox
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-04 00:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1736)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-11-04 00:25:30
ComboFix-quarantined-files.txt 2011-11-03 23:25
ComboFix2.txt 2011-11-03 10:45
ComboFix3.txt 2011-11-02 00:48
.
Pre-Run: 41,278,676,992 bytes free
Post-Run: 41,263,214,592 bytes free
.
- - End Of File - - 98E1EB6732AB7B4CD1B90B8EF175A238

jeffce
2011-11-04, 02:41
Hi Kenny,

After looking over that last log things are looking good. How is your system running?

kenny5277
2011-11-04, 12:53
Hey Jeff, thanks for all your help.

Actually, my computer is not running great. I'm not sure if it's related to anything we've done, but it seems shortly after the first step (the Gmer scan) the CPU (according to the task manager) is running way higher than anything in the process list shows. The system idle process could be between 95 and 99% but the CPU still shows 40-60% usage. Also booting up seems to have gotten dramatically slower, often hanging at the welcome screen (while the little 3-dot progress bar thing keeps going round and round). Lastly, I just had to boot up twice because the first time I had a complete freeze-up (cursor too).

Related to the malware issue?

jeffce
2011-11-04, 13:18
Hi Kenny,

Have you decided what antivirus program you are going to use? There may still be some conflict with the two that will seriously degrade your computers performance. I would recommend removing one of them completely. Let me know which one that you want to get rid of and I will get you the removal tool for it. :)
----------

Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe ) to your desktop.

Double click the aswMBR icon to run it.
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it
----------

In your next reply let me know which antivirus program

jeffce
2011-11-04, 13:19
Hi Kenny,

Have you decided what antivirus program you are going to use? There may still be some conflict with the two that will seriously degrade your computers performance. I would recommend removing one of them completely. Let me know which one that you want to get rid of and I will get you the removal tool for it. :)
----------

Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe ) to your desktop.

Double click the aswMBR icon to run it.
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it
----------

In your next reply let me know which antivirus program you would like to remove and then post the log created by aswMBR.exe.

kenny5277
2011-11-04, 15:20
Jeff, the bug is still here. :( I just got another detection notice from AVG.

To respond to your last post, I've been with AVG for awhile so I'll think I'll stick with that. Can I keep ad-aware on my machine for occasional scans without using the active real-time AV?

I have to run now, but I'll run that scan that you mention when I get home.

Thanks for your continued help!

jeffce
2011-11-04, 16:39
Hi Kenny

What is AVG showing? That may help us target this better. :)

Yes you can keep Ad-Aware if you choose but be sure it is not running in real-time.

No hurry with the scan. I apologize that this is taking so long but sometimes malware removal can sometimes be quite a task. :)

kenny5277
2011-11-04, 22:05
Hey Jeff. I understand this can take time. I appreciate you sticking with me through it!!

Here's a screenshot of the AVG threat detection. Should I go ahead with that scan now?

jeffce
2011-11-04, 22:51
Hi Kenny,

Thanks for the screenshot. :bigthumb: That won't be a problem at all. When we remove ComboFix that file will be removed too.

Go ahead and run aswMBR with the instructions I gave you earlier and then post that log when you get it.

kenny5277
2011-11-05, 12:05
Here it is.

jeffce
2011-11-05, 17:36
Hi Kenny,



Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


Driver::
WINRM

NetSvc::
WINRM

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

kenny5277
2011-11-05, 18:54
ComboFix 11-11-05.02 - moe 11/05/2011 17:01:56.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1301 [GMT 1:00]
Running from: c:\documents and settings\moe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\moe\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_WinRM
.
.
((((((((((((((((((((((((( Files Created from 2011-10-05 to 2011-11-05 )))))))))))))))))))))))))))))))
.
.
2011-11-05 16:32 . 2011-11-05 16:32 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-11-05 16:28 . 2011-11-05 16:28 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-11-03 12:18 . 2011-11-03 12:18 -------- d-----w- c:\program files\ESET
2011-11-01 11:25 . 2011-11-01 11:26 -------- d-----w- c:\program files\ERUNT
2011-10-25 13:05 . 2011-11-03 21:31 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-24 17:59 . 2011-10-24 17:59 -------- d-----w- C:\$AVG
2011-10-24 10:09 . 2011-10-24 10:09 -------- d-----w- c:\documents and settings\moe\Application Data\AVG2012
2011-10-24 10:07 . 2011-10-24 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-10-21 00:46 . 2011-10-21 00:46 -------- d-----w- c:\program files\AVIcodec
2011-10-21 00:38 . 2011-10-21 00:38 -------- d-----w- c:\documents and settings\moe\Application Data\DDMSettings
2011-10-17 16:36 . 2011-10-17 16:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-10-13 05:01 . 2011-10-13 05:01 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2011-10-12 18:51 . 2011-10-12 18:51 -------- d-----w- c:\program files\Common Files\xing shared
2011-10-12 18:50 . 2011-10-12 18:51 -------- d-----w- c:\program files\Real
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-04 14:28 . 2011-09-25 13:12 44544 ----a-w- c:\windows\system32\agremove.exe
2011-11-01 09:48 . 2011-08-23 21:19 172544 ----a-w- c:\windows\system32\RemoteControl.dll
2011-10-07 05:23 . 2011-01-07 12:41 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 05:21 . 2011-02-10 13:53 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-26 09:41 . 2008-12-22 17:48 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 09:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41 . 2008-12-22 17:48 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 04:30 . 2011-03-16 22:03 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12 . 2008-04-14 11:41 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2008-04-14 07:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 15:00 . 2011-08-28 21:25 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-28 21:01 . 2011-08-28 21:16 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-08-28 21:01 . 2011-08-28 21:01 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-22 23:48 . 2008-12-22 18:03 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-12-22 18:03 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2008-12-22 18:02 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2008-12-22 18:02 385024 ------w- c:\windows\system32\html.iec
2011-08-18 13:25 . 2011-08-28 20:58 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-17 13:49 . 2008-04-14 06:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-08 04:08 . 2011-03-01 20:25 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-12-22 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-11-02_00.35.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-05 16:34 . 2011-11-05 16:33 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
- 2011-11-02 00:34 . 2011-11-02 00:34 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
+ 2011-11-05 16:34 . 2011-11-05 16:33 16384 c:\windows\temp\History\History.IE5\index.dat
- 2011-11-02 00:34 . 2011-11-02 00:34 16384 c:\windows\temp\History\History.IE5\index.dat
- 2011-11-02 00:34 . 2011-11-02 00:34 16384 c:\windows\temp\Cookies\index.dat
+ 2011-11-05 16:34 . 2011-11-05 16:33 16384 c:\windows\temp\Cookies\index.dat
+ 2011-11-02 23:05 . 2011-11-02 23:05 442368 c:\windows\ERDNT\AutoBackup\11-3-2011\Users\00000002\UsrClass.dat
+ 2011-11-02 23:05 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\11-3-2011\ERDNT.EXE
+ 2011-11-04 10:00 . 2011-11-04 10:00 4671488 c:\windows\Installer\83812d4.msi
+ 2011-11-04 09:49 . 2011-11-04 09:49 4674560 c:\windows\Installer\8381294.msi
+ 2011-11-05 16:39 . 2011-11-05 16:40 17780736 c:\windows\ERDNT\AutoBackup\11-5-2011\Users\00000001\NTUSER.DAT
+ 2011-11-02 23:04 . 2011-11-02 23:05 17780736 c:\windows\ERDNT\AutoBackup\11-3-2011\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"pamela.exe"="c:\program files\Pamela\Pamela.exe" [2011-11-01 11909120]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 2595480]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 905056]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 140568]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-24 2415456]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-10-12 273528]
.
c:\documents and settings\moe\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\moe\Application Data\Dropbox\bin\Dropbox.exe [2011-7-20 24176560]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2011-7-21 114688]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-10-12 18:50 273528 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\moe\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\moe\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 3:13 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 11:03 PM 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/28/2011 9:58 PM 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 1:41 PM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 7:59 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [10/6/2011 1:21 AM 288088]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
RUnknown rpcnetp;rpcnetp; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 8:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2011 2:19 AM 136176]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/15/2011 4:28 AM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 2:53 PM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 2:53 PM 16720]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2011 2:19 AM 136176]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/18/2011 2:25 PM 2152152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/18/2011 2:25 PM 15232]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 8:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RPCNETP
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-08-18 21:02]
.
2011-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-21 01:19]
.
2011-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-21 01:19]
.
2011-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-842925246-1801674531-1004Core.job
- c:\documents and settings\moe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-15 03:49]
.
2011-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-842925246-1801674531-1004UA.job
- c:\documents and settings\moe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-15 03:49]
.
2011-11-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-842925246-1801674531-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 11:40]
.
2011-11-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-842925246-1801674531-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 11:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.google.com/mail/?source=navclient-ff&shva=1#inbox
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-05 17:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1748)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(3820)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Hotspot Shield\bin\hsswd.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\System32\rpcnetp.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2011-11-05 17:48:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-05 16:48
ComboFix2.txt 2011-11-03 23:25
ComboFix3.txt 2011-11-03 10:45
ComboFix4.txt 2011-11-02 00:48
.
Pre-Run: 40,878,555,136 bytes free
Post-Run: 40,913,092,608 bytes free
.
- - End Of File - - 05ADAB2A9DBAA5DDA2F8B3C7AC44C1B0

jeffce
2011-11-05, 23:30
Hi Kenny,

Would you please run ESET online scan again and then post the log that is created into your next reply. :)

kenny5277
2011-11-06, 19:14
Threats found!

jeffce
2011-11-07, 02:31
Hi Kenny,

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click VirusTotal (www.virustotal.com)

Use Choose a File and browse to and select the following bolded file (one at a time if more than one file is listed)

C:\Documents and Settings\moe\My Documents\Misc\Soft32Downloader-for-Realtek-RTL81698110-Family-Gigabit-Ethernet-NIC.exe

scroll down a bit and click "send file", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------

kenny5277
2011-11-07, 03:26
Not sure how you wanted it but I copied and pasted it, and attached a PDF of the same thing.

File name: Soft32Downloader-for-Realtek-RTL81698110-Family-Gigabit-E[...].exe
Submission date: 2011-11-07 01:06:25 (UTC)
Current status: finished
Result: 5/ 43 (11.6%)

Antivirus Version Last Update Result
AhnLab-V3 2011.11.05.02 2011.11.06 -
AntiVir 7.11.17.28 2011.11.06 -
Antiy-AVL 2.0.3.7 2011.11.06 Trojan/Win32.FakeAV.gen
Avast 6.0.1289.0 2011.11.06 Win32:Malware-gen
AVG 10.0.0.1190 2011.11.06 -
BitDefender 7.2 2011.11.07 -
ByteHero 1.0.0.1 2011.11.04 -
CAT-QuickHeal 11.00 2011.11.06 -
ClamAV 0.97.3.0 2011.11.07 -
Commtouch 5.3.2.6 2011.11.06 -
Comodo 10691 2011.11.07 -
DrWeb 5.0.2.03300 2011.11.07 -
Emsisoft 5.1.0.11 2011.11.07 -
eSafe 7.0.17.0 2011.11.06 -
eTrust-Vet 36.1.8657 2011.11.05 -
F-Prot 4.6.5.141 2011.11.06 -
F-Secure 9.0.16440.0 2011.11.06 -
Fortinet 4.3.370.0 2011.11.06 -
GData 22 2011.11.07 Win32:Malware-gen
Ikarus T3.1.1.107.0 2011.11.06 -
Jiangmin 13.0.900 2011.11.06 -
K7AntiVirus 9.117.5398 2011.11.05 -
Kaspersky 9.0.0.837 2011.11.07 -
McAfee 5.400.0.1158 2011.11.07 -
McAfee-GW-Edition 2010.1D 2011.11.06 -
Microsoft 1.7801 2011.11.06 -
NOD32 6606 2011.11.07 -
Norman 6.07.13 2011.11.06 -
nProtect 2011-11-06.01 2011.11.06 -
Panda 10.0.3.5 2011.11.06 -
PCTools 8.0.0.5 2011.11.07 -
Prevx 3.0 2011.11.07 -
Rising 23.82.02.02 2011.11.02 -
Sophos 4.71.0 2011.11.06 -
SUPERAntiSpyware 4.40.0.1006 2011.11.05 -
Symantec 20111.2.0.82 2011.11.07 -
TheHacker 6.7.0.1.338 2011.11.06 Trojan/FakeAV.ebvf
TrendMicro 9.500.0.1008 2011.11.06 -
TrendMicro-HouseCall 9.500.0.1008 2011.11.07 -
VBA32 3.12.16.4 2011.11.04 Trojan.FakeAV.ebvf
VIPRE 10984 2011.11.07 -
ViRobot 2011.11.5.4757 2011.11.06 -
VirusBuster 14.1.49.0 2011.11.06 -
Additional informationShow all
MD5 : 6cb581e1daeb9b08084be84f536a9fcb
SHA1 : cf197fb5cbce38b01ebe507f8162908689731589
SHA256: f1717ec7d13a6a450ca8c569dd9e0006b64ce23ec4bc2bfa8ce8d36e04fd4343

jeffce
2011-11-07, 03:49
Hi Kenny,

That was just the way I needed to see that report. :)

Please do the following...

Click Start > Run > type CMD > press OK and this opens the command prompt.

Copy the contents of the code box > right click in the command window and select paste


del C:\Documents and Settings\moe\My Documents\Misc\Soft32Downloader-for-Realtek-RTL81698110-Family-Gigabit-Ethernet-NIC.exe

Press Enter
----------

Please run DDS once more and post the newly created log into your next reply.

How is your system running?

kenny5277
2011-11-07, 12:45
Hi Kenny,

That was just the way I needed to see that report. :)

Please do the following...

Click Start > Run > type CMD > press OK and this opens the command prompt.

Copy the contents of the code box > right click in the command window and select paste


del C:\Documents and Settings\moe\My Documents\Misc\Soft32Downloader-for-Realtek-RTL81698110-Family-Gigabit-Ethernet-NIC.exe

Press Enter
----------



Jeff, when I do this I get "The system cannot find the path specified". Just to be clear, from the cmd prompt I start off in "c:\Documents and Settings\moe>" so when I copy and paste the code box, it looks like "c:\Documents and Settings\moe>del C:\Documents and Settings\moe\My Documents\Misc\Soft32Downloader-for-Realtek-RTL81698110-Family-Gigabit-Ethernet-NIC.exe"

Is that right? Do I need to change the directory first?

jeffce
2011-11-07, 14:51
Hi Kenny,

Yes be sure to change the directory to C:Windows\system32 Then attempt to rerun using this code below


del "C:\Documents and Settings\moe\My Documents\Misc\Soft32Downloader-for-Realtek-RTL81698110-Family-Gigabit-Ethernet-NIC.exe"

Once you get that finished be sure to run DDS again and let me know how your system is running. :)

kenny5277
2011-11-07, 16:36
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by moe at 15:23:40 on 2011-11-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1402 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\ntvdm.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://mail.google.com/mail/?source=navclient-ff&shva=1#inbox
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [pamela.exe] "c:\program files\pamela\Pamela.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
StartupFolder: c:\docume~1\moe\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\moe\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\moe\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1310704740187
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{437F6C09-69C6-43A2-96BA-F21E51DDE9BA} : DhcpNameServer = 192.168.2.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-8-28 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 hshld;Hotspot Shield Service;c:\program files\hotspot shield\bin\openvpnas.exe [2011-10-6 288088]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-15 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 16720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-21 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-7-21 136176]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2152152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-11-03 12:18:20 -------- d-----w- c:\progra~1\ESET
2011-11-02 00:07:48 -------- d-sha-r- C:\cmdcons
2011-11-02 00:01:55 98816 ----a-w- c:\windows\sed.exe
2011-11-02 00:01:55 518144 ----a-w- c:\windows\SWREG.exe
2011-11-02 00:01:55 256000 ----a-w- c:\windows\PEV.exe
2011-11-02 00:01:55 208896 ----a-w- c:\windows\MBR.exe
2011-10-25 13:05:55 -------- d-----w- c:\progra~1\MALWAREBYTES ANTI-MALWARE
2011-10-24 17:59:58 -------- d-----w- C:\$AVG
2011-10-24 10:09:21 -------- d-----w- c:\docume~1\moe\applic~1\AVG2012
2011-10-24 10:07:25 -------- d-----w- c:\docume~1\alluse~1\application data\AVG2012
2011-10-21 00:46:53 -------- d-----w- c:\progra~1\AVIcodec
2011-10-21 00:38:03 -------- d-----w- c:\docume~1\moe\applic~1\DDMSettings
2011-10-17 15:33:56 -------- d-----w- c:\windows\pss
2011-10-12 18:51:12 -------- d-----w- c:\progra~1\common~1\xing shared
.
==================== Find3M ====================
.
2011-11-05 16:50:39 44544 ----a-w- c:\windows\system32\agremove.exe
2011-11-01 09:48:49 172544 ----a-w- c:\windows\system32\RemoteControl.dll
2011-10-07 05:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 05:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-26 09:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 09:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 04:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-28 21:01:49 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-08-28 21:01:49 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ------w- c:\windows\system32\html.iec
2011-08-18 13:25:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 15:25:31.95 ===============

kenny5277
2011-11-07, 16:37
I have to run out right now, but I'll post again in a few hours to let you know how it's running. (I need time to try a few things to see). :)

jeffce
2011-11-07, 16:42
Sounds good. :)

kenny5277
2011-11-07, 21:40
BTW, my machine was just performing very slowly. Extremely slowly. So I checked the task manager and noticed that the CPU was working at a consistent 40-60% but the idle process was close to 99%, and there was very little activity from any other processes in the list. (is this indicative of a rootkit?)

Anyway, I just wanted to update the thread since this is new since my last post.

Hey Jeff. Regarding this post, this problem is still there. My machine takes over 15 minutes to boot-up. Once it does, using Process Explorer, I see that a very high % of the CPU is being used on "Hardware Interrupts and DPCs" (often 30-50%). Is this a hardware problem? I don't think I had this problem before I posted the above quote from page 1 of this thread. But is it possible this is unrelated to the malware problem and just coincidental?

jeffce
2011-11-07, 21:57
Hi Kenny,

Try to hook up your internet with a hardline (wired) connection directly and see if you are still having the problem.

kenny5277
2011-11-07, 22:08
It already is.

jeffce
2011-11-07, 22:22
Hi Kenny,

I don't think that this problem is malware related but a problem with your drivers. I would recommend that you start a new topic here (http://forums.whatthetech.com/index.php?showforum=126) and let them know your remaining problems. They will be able to better assist you with these problems than I can. When you do post your new topic be sure to post the link here as well so the helpers can see what we have done. :)

When they finish be sure to come back here and I can remove our tools and give you some good information on keeping your system secure. :)

kenny5277
2011-11-08, 12:58
Hey Jeff,

I started the thread over there. See you in a bit! (when they're finished with me).

(and thank you so much for your speedy responses and great help here! I appreciate it a great deal!)

jeffce
2011-11-08, 16:57
Sounds good Kenny. :)

kenny5277
2011-11-15, 02:05
Hey Jeff. I'm back, but things have taken an unexpected turn.

I went to the other forum as you suggested and started a thread. In the course of the thread I remembered that I had an Acronis image file of my laptop with a fresh XP install, and since I had so much crap on my machine anyway, I just decided to restore the image and basically start fresh. (I also made a complete image of the C drive as it was before I did the restore, which is on my external 3 TB drive). As I expected, that "hardware interrupt..." problem is gone.

I installed AVG, and maybe 3 other things only (Chrome, MS Office, Skype, Pamela for skype). I copied on to the freshly installed machine only some personal document folders, and the google chrome application data folder (to get my bookmarks), and some folders in Pamela (if you're unfamiliar, Pamela works with skype to give features like voicemail, video recording, etc...).

So I'm completely surprised when I just walked in and noticed AVG found 4 instances of a virus threat!!!

So I'm thinking either:
1. The malware is on my external drive. OR
2. I managed to catch a new threat in record time (unlikely. I haven't done anything risky).

so WTF??!!!

I'm attaching a screenshot of AVG's threat detections, and I'll post a DDS log in another post. Help!!

kenny5277
2011-11-15, 02:06
Oops. Forgot to upload the attachment.

kenny5277
2011-11-15, 02:21
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by moe at 1:18:15 on 2011-11-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.540 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Pamela\pamela.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\moe\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [pamela.exe] "c:\program files\pamela\pamela.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\moe\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1310704740187
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{437F6C09-69C6-43A2-96BA-F21E51DDE9BA} : DhcpNameServer = 192.168.2.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 relog_ap
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-11-14 22:49:08 -------- d--h--w- C:\$AVG
2011-11-13 23:54:05 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-11-13 22:38:31 -------- d-----w- c:\documents and settings\moe\application data\Pamela
2011-11-13 22:38:28 172544 ----a-w- c:\windows\system32\RemoteControl.dll
2011-11-13 22:38:26 -------- d-----w- c:\program files\Pamela
2011-11-13 22:34:32 -------- d-----r- c:\program files\Skype
2011-11-13 21:50:14 -------- d-----w- c:\documents and settings\moe\application data\AVG2012
2011-11-13 21:49:46 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-11-13 21:49:17 -------- d-----w- c:\windows\system32\drivers\AVG
2011-11-13 21:49:17 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-11-13 21:48:51 -------- d-----w- c:\program files\AVG
2011-11-13 21:46:23 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-11-13 21:37:41 -------- d-----w- c:\documents and settings\moe\local settings\application data\Google
2011-11-13 21:37:25 -------- d-----w- c:\documents and settings\moe\local settings\application data\Deployment
2011-11-13 20:55:18 293376 ------w- c:\windows\system32\browserchoice.exe
2011-11-13 20:47:16 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-11-13 20:47:16 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-11-13 20:45:09 44544 ----a-w- c:\windows\system32\agremove.exe
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 05:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 05:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 05:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ------w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 1:18:48.79 ===============

jeffce
2011-11-15, 04:13
Hi Kenny,

The entries that are being shown by AVG are all in restore points on your system. So as long as you don't go back to that restore point than they are nothing to worry about.

To be on the safe side, let's do an ESET scan on your system, including your external harddrive (be sure that is connected).

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the Start button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the Back button.
Push Finish

http://www.eset.com/onlinescan/
----------

kenny5277
2011-11-15, 18:00
Hey Jeff. If I restored a fresh install, how could I have gotten something already in the restore points? Should I delete those?

Here's the scan.

jeffce
2011-11-15, 18:13
Hi Kenny,

Lets go ahead and remove all of your restore points except the most recent.

Remove all System Restore points except the most recent one:

To do this:
Click Start > All Programs > Accessories > System Tools > Click Disc Cleanup
Now launch this utility and click More Options tab.
Under this click System Restore and followed by that click Clean Up tab a message will popup -Are you sure you want to delete all but the most recent restore point? Click Yes then OK.
Finally another message will popup-Are you sure you want to perform these actions? Click Yes.
Now, all the System Restore points except the most recent one are cleaned.

jeffce
2011-11-15, 18:18
Hi Kenny,

You know, this is just my opinion but you might try another antivirus program other than AVG. AVG is quite a resource hog on a computer. You may be better served using Microsoft Security Essentials (http://www.microsoft.com/security/pc-security/mse.aspx) (my favorite) or Avast (http://www.avast.com/en-au/free-antivirus-download). They are both free and are very good antivirus programs. Just my opinion.

kenny5277
2011-11-15, 18:31
Jeff, thanks for the suggestion. I'll check some reviews and most likely make the switch in a day or 2.

I've deleted the restore files as you said.

jeffce
2011-11-15, 19:08
Hi Kenny,

Sounds good. Is there anything else I could help you with? If not I think we can close this out. :bigthumb:

kenny5277
2011-11-15, 19:13
Well, actually Jeff, what about the external drive? Anything need to be done from the eset scan?

jeffce
2011-11-15, 22:37
Hi Kenny,

Sorry I have been at work all day.

You can go ahead and delete the files by browsing to the files and deleting them. They are not necessarily infections but they can go.

Delete these:

E:\Backup\Documents and Settings\Moe\My Documents\Temp Downloads\HSS-1.37-install-anchorfree-76-conduit.exe <=======
E:\Kenny's Stuff\software\Nero 8\Toolbar.exe <=======
E:\Kenny's Stuff\software\Nero 8\Nero PhotoShow Express\nero_photoshow_express_5_setup.exe <=======

kenny5277
2011-11-16, 03:22
Jeff, many thanks again for your help!! (and for such a small paycheck ;) )

Come to Berlin and I'll buy you a beer!

(shall I go ahead and uninstall/delete erunt, eset, and dds?) Anything in particular I need to know about that?

jeffce
2011-11-16, 03:33
Come to Berlin and I'll buy you a beer!LOL!! I have family in Leipzig. I have been to Berlin and love it there. I actually lived in Mannheim for four years. :)

As you will read below you can just delete all of those tools that we used earlier.
------------

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
Open Internet Explorer
Click on Tools > Internet Options
Press Security tab
Select Internet zone then place check next to Enable Protected Mode if not already done
Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here (http://www.bleepingcomputer.com/forums/tutorial60.html). **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)

5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp) regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

6. Consider a custom hosts file such as MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.htm). This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002 (http://www.mvps.org/winhelp2002/hosts.htm)
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

7. WOT (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

8.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

kenny5277
2011-11-16, 16:27
Dann bist du immer willkommen!

Again, many thanks Jeff. Best. :)

jeffce
2011-11-16, 17:16
Thank you. I appreciate that. :)


Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you are the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.