Good evening,

Apparently I have the Smitfraud trojan. The August download of the MS malicious software tool and Spybot both confirm this. I also have Norton and none of the three have been able to remove it.

Teatimer is still enabled since I am unsure if I should disable it now or wait until a solution is offered.

Below is the DDS log and I have attached the 'attach.txt' zip and aswMBR log.

Any help would be appreciated.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Owner at 21:55:09 on 2012-08-29
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2013.689 [GMT -4:00]
.
AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
-netsvcs
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\19.8.0.14\ccSvcHst.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\19.8.0.14\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\taskhost.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton AntiVirus\Engine\19.8.0.14\IPS\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe -update activex
uRunOnce: [SpybotDeletingB6018] command.com /c del "C:\Windows\svchost.exe_old"
uRunOnce: [SpybotDeletingD3495] cmd.exe /c del "C:\Windows\svchost.exe_old"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRunOnce: [SpybotDeletingA5549] command.com /c del "C:\Windows\svchost.exe_old"
mRunOnce: [SpybotDeletingC9657] cmd.exe /c del "C:\Windows\svchost.exe_old"
StartupFolder: C:\Users\Owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{D3A1BF94-5E62-4088-98C5-06CBD103AF65} : DhcpNameServer = 209.18.47.61 209.18.47.62
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\19.8.0.14\IPS\IPSBHO.DLL
BHO-X64: Norton Vulnerability Protection - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRunOnce-x64: [SpybotDeletingA5549] command.com /c del "C:\Windows\svchost.exe_old"
mRunOnce-x64: [SpybotDeletingC9657] cmd.exe /c del "C:\Windows\svchost.exe_old"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NAVx64\1308000.00E\SYMDS64.SYS --> C:\Windows\system32\drivers\NAVx64\1308000.00E\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NAVx64\1308000.00E\SYMEFA64.SYS --> C:\Windows\system32\drivers\NAVx64\1308000.00E\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.5.1.2\Definitions\BASHDefs\20120823.007\BHDrvx64.sys [2012-6-18 1161376]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;C:\Windows\system32\drivers\NAVx64\1308000.00E\ccSetx64.sys --> C:\Windows\system32\drivers\NAVx64\1308000.00E\ccSetx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.5.1.2\Definitions\IPSDefs\20120829.001\IDSviA64.sys [2012-8-29 512672]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NAVx64\1308000.00E\Ironx64.SYS --> C:\Windows\system32\drivers\NAVx64\1308000.00E\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NAVx64\1308000.00E\SYMNETS.SYS --> C:\Windows\system32\Drivers\NAVx64\1308000.00E\SYMNETS.SYS [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 NAV;Norton AntiVirus;C:\Program Files (x86)\Norton AntiVirus\Engine\19.8.0.14\ccsvchst.exe [2012-8-14 138272]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y62x64.sys --> C:\Windows\system32\DRIVERS\e1y62x64.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-10 138912]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-13 250056]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
.
=============== Created Last 30 ================
.
2012-08-15 01:00:31 503808 ----a-w- C:\Windows\System32\srcore.dll
2012-08-15 01:00:31 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2012-08-15 01:00:29 751104 ----a-w- C:\Windows\System32\win32spl.dll
2012-08-15 01:00:29 67072 ----a-w- C:\Windows\splwow64.exe
2012-08-15 01:00:29 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2012-08-15 01:00:29 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2012-08-15 01:00:28 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-08-15 01:00:28 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-08-15 01:00:28 136704 ----a-w- C:\Windows\System32\browser.dll
2012-08-15 01:00:16 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-08-15 01:00:10 956928 ----a-w- C:\Windows\System32\localspl.dll
2012-08-04 23:50:48 -------- d-----w- C:\Users\Owner\AppData\Roaming\.minecraft
.
==================== Find3M ====================
.
2012-08-15 01:21:21 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-15 01:21:21 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-06 02:17:58 37536 ----a-w- C:\Windows\System32\drivers\NAVx64\1308000.00E\srtspx64.sys
2012-07-06 02:17:57 737952 ----a-w- C:\Windows\System32\drivers\NAVx64\1308000.00E\srtsp64.sys
2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-07 04:43:38 167072 ----a-w- C:\Windows\System32\drivers\NAVx64\1308000.00E\ccsetx64.sys
2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
.
============= FINISH: 21:56:40.87 ===============

:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR


Sorry for the delay but I am linked to you now


Go ahead and disable the TeaTimer

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking[/b]

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect

Please do not proceed until the TeaTimer is disabled



Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

Ken,

No worries on the delay, I should have paid more attention to the calendar and waited until after Labor Day. Below is the MBR check log.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: Intel Corporation
BIOS Manufacturer: Intel Corp.
System Manufacturer:
System Product Name:
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 200):
0x02E1A000 \SystemRoot\system32\ntoskrnl.exe
0x03402000 \SystemRoot\system32\hal.dll
0x00BC2000 \SystemRoot\system32\kdcom.dll
0x00C93000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CE2000 \SystemRoot\system32\PSHED.dll
0x00CF6000 \SystemRoot\system32\CLFS.SYS
0x00E8A000 \SystemRoot\system32\CI.dll
0x00F4A000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00FEE000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00E00000 \SystemRoot\system32\drivers\ACPI.sys
0x00E57000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00E60000 \SystemRoot\system32\drivers\msisadrv.sys
0x00D54000 \SystemRoot\system32\drivers\pci.sys
0x00E6A000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00D87000 \SystemRoot\System32\drivers\partmgr.sys
0x00D9C000 \SystemRoot\system32\drivers\volmgr.sys
0x00C00000 \SystemRoot\System32\drivers\volmgrx.sys
0x00E77000 \SystemRoot\system32\drivers\pciide.sys
0x00C5C000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x00C6C000 \SystemRoot\System32\drivers\mountmgr.sys
0x00E7E000 \SystemRoot\system32\drivers\atapi.sys
0x00DB1000 \SystemRoot\system32\drivers\ataport.SYS
0x00DDB000 \SystemRoot\system32\drivers\msahci.sys
0x00DE6000 \SystemRoot\system32\drivers\amdxata.sys
0x0109F000 \SystemRoot\system32\drivers\fltmgr.sys
0x010EB000 \SystemRoot\system32\drivers\NAVx64\1308000.00E\SYMDS64.SYS
0x0115C000 \SystemRoot\system32\drivers\fileinfo.sys
0x0125E000 \SystemRoot\system32\drivers\NAVx64\1308000.00E\SYMEFA64.SYS
0x01430000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01376000 \SystemRoot\System32\Drivers\msrpc.sys
0x015D3000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01170000 \SystemRoot\System32\Drivers\cng.sys
0x015EE000 \SystemRoot\System32\drivers\pcw.sys
0x01400000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01636000 \SystemRoot\system32\drivers\ndis.sys
0x01729000 \SystemRoot\system32\drivers\NETIO.SYS
0x01789000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x018F1000 \SystemRoot\System32\drivers\tcpip.sys
0x01AF4000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01B3E000 \SystemRoot\system32\drivers\volsnap.sys
0x01B8A000 \SystemRoot\System32\Drivers\spldr.sys
0x01B92000 \SystemRoot\System32\drivers\rdyboost.sys
0x01BCC000 \SystemRoot\System32\Drivers\mup.sys
0x01BDE000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01800000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x0183A000 \SystemRoot\system32\drivers\disk.sys
0x01850000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x018B8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x017B3000 \SystemRoot\system32\drivers\NAVx64\1308000.00E\ccSetx64.sys
0x01600000 \SystemRoot\system32\drivers\NAVx64\1308000.00E\Ironx64.SYS
0x018E2000 \SystemRoot\System32\Drivers\Null.SYS
0x01BE7000 \SystemRoot\System32\Drivers\Beep.SYS
0x01BEE000 \SystemRoot\System32\drivers\vga.sys
0x0140A000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x017E1000 \SystemRoot\System32\drivers\watchdog.sys
0x017F1000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x013D4000 \SystemRoot\system32\drivers\rdpencdd.sys
0x013DD000 \SystemRoot\system32\drivers\rdprefmp.sys
0x013E6000 \SystemRoot\System32\Drivers\Msfs.SYS
0x01200000 \SystemRoot\System32\Drivers\Npfs.SYS
0x01211000 \SystemRoot\system32\DRIVERS\tdx.sys
0x01233000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x01000000 \SystemRoot\system32\drivers\afd.sys
0x02E24000 \SystemRoot\System32\DRIVERS\netbt.sys
0x02E69000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x02E72000 \SystemRoot\system32\DRIVERS\pacer.sys
0x02E98000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02EA7000 \SystemRoot\system32\DRIVERS\serial.sys
0x02EC4000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x02EDF000 \SystemRoot\system32\DRIVERS\termdd.sys
0x02EF3000 \SystemRoot\System32\Drivers\NAVx64\1308000.00E\SYMNETS.SYS
0x02F5F000 \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
0x02F97000 \SystemRoot\system32\drivers\NAVx64\1308000.00E\SRTSPX64.SYS
0x02FAC000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x02E00000 \SystemRoot\system32\drivers\nsiproxy.sys
0x02E0C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x04338000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
0x043B2000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x043D8000 \SystemRoot\System32\drivers\discache.sys
0x04200000 \SystemRoot\System32\Drivers\dfsc.sys
0x0421E000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x03C23000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.5.1.2\Definitions\BASHDefs\20120823.007\BHDrvx64.sys
0x03D43000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x0F2A3000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x046BE000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x047B2000 \SystemRoot\System32\drivers\dxgmms1.sys
0x04600000 \SystemRoot\system32\DRIVERS\HECIx64.sys
0x04611000 \SystemRoot\system32\DRIVERS\e1y62x64.sys
0x0465B000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x04668000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x0FFC1000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x0FFD2000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x0F200000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x0F23E000 \SystemRoot\system32\DRIVERS\serenum.sys
0x0F24A000 \SystemRoot\system32\DRIVERS\parport.sys
0x0F267000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0F27D000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x0F28D000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x03D69000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x03D8D000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x03D99000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x03DC8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x03C00000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x03DE3000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0422F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x0423E000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x047F8000 \SystemRoot\system32\DRIVERS\serscan.sys
0x0FFF6000 \SystemRoot\system32\drivers\ksthunk.sys
0x0424D000 \SystemRoot\system32\drivers\ks.sys
0x0FFFC000 \SystemRoot\system32\DRIVERS\swenum.sys
0x04290000 \SystemRoot\system32\DRIVERS\umbus.sys
0x04CF4000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04D4E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x04E72000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x050D0000 \SystemRoot\system32\drivers\portcls.sys
0x0510D000 \SystemRoot\system32\drivers\drmk.sys
0x00030000 \SystemRoot\System32\win32k.sys
0x0512F000 \SystemRoot\System32\drivers\Dxapi.sys
0x0513B000 \SystemRoot\System32\Drivers\crashdmp.sys
0x05149000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x05155000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x05160000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x05173000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x05190000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x05192000 \SystemRoot\System32\Drivers\nx6000.sys
0x0519F000 \SystemRoot\System32\Drivers\usbvideo.sys
0x051CD000 \SystemRoot\system32\drivers\usbaudio.sys
0x051E8000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00420000 \SystemRoot\System32\TSDDD.dll
0x00710000 \SystemRoot\System32\cdd.dll
0x04E00000 \SystemRoot\system32\DRIVERS\dc3d.sys
0x04E12000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x04E1B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x04E29000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x04E42000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0x04E4E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x04E5B000 \SystemRoot\system32\DRIVERS\point64.sys
0x04D63000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x008B0000 \SystemRoot\System32\ATMFD.DLL
0x04D71000 \SystemRoot\system32\drivers\luafv.sys
0x04D94000 \SystemRoot\system32\drivers\WudfPf.sys
0x04DB5000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x04DCA000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x04C00000 \SystemRoot\system32\drivers\HTTP.sys
0x04CC9000 \SystemRoot\system32\DRIVERS\bowser.sys
0x04DE2000 \SystemRoot\System32\drivers\mpsdrv.sys
0x01880000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x06469000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x064B7000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x064DB000 \SystemRoot\system32\drivers\peauth.sys
0x06581000 \SystemRoot\System32\Drivers\secdrv.SYS
0x0658C000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x065BD000 \SystemRoot\System32\drivers\tcpipreg.sys
0x06400000 \SystemRoot\System32\DRIVERS\srv2.sys
0x0623C000 \SystemRoot\System32\DRIVERS\srv.sys
0x062D4000 \SystemRoot\System32\Drivers\NAVx64\1308000.00E\SRTSP64.SYS
0x09349000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x09000000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.5.1.2\Definitions\VirusDefs\20120904.002\EX64.SYS
0x09203000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.5.1.2\Definitions\VirusDefs\20120904.002\ENG64.SYS
0x09225000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.5.1.2\Definitions\IPSDefs\20120831.001\IDSvia64.sys
0x77340000 \Windows\System32\ntdll.dll
0x47B10000 \Windows\System32\smss.exe
0xFF660000 \Windows\System32\apisetschema.dll
0xFF700000 \Windows\System32\autochk.exe
0xFF520000 \Windows\System32\rpcrt4.dll
0xFF510000 \Windows\System32\nsi.dll
0x77130000 \Windows\System32\iertutil.dll
0x76FD0000 \Windows\System32\wininet.dll
0x76E80000 \Windows\System32\urlmon.dll
0xFF4F0000 \Windows\System32\imagehlp.dll
0xFF410000 \Windows\System32\oleaut32.dll
0xFF370000 \Windows\System32\comdlg32.dll
0xFF290000 \Windows\System32\advapi32.dll
0xFF280000 \Windows\System32\lpk.dll
0xFF1B0000 \Windows\System32\usp10.dll
0xFF150000 \Windows\System32\Wldap32.dll
0xFF130000 \Windows\System32\sechost.dll
0xFEF20000 \Windows\System32\ole32.dll
0xFE190000 \Windows\System32\shell32.dll
0xFDFB0000 \Windows\System32\setupapi.dll
0xFDF10000 \Windows\System32\clbcatq.dll
0x76D60000 \Windows\System32\kernel32.dll
0xFDEE0000 \Windows\System32\imm32.dll
0xFDE90000 \Windows\System32\ws2_32.dll
0xFDE10000 \Windows\System32\shlwapi.dll
0xFDD90000 \Windows\System32\difxapi.dll
0xFDC80000 \Windows\System32\msctf.dll
0xFDC10000 \Windows\System32\gdi32.dll
0x77510000 \Windows\System32\psapi.dll
0x76C60000 \Windows\System32\user32.dll
0x77500000 \Windows\System32\normaliz.dll
0xFDB70000 \Windows\System32\msvcrt.dll
0xFDB00000 \Windows\System32\KernelBase.dll
0xFDAC0000 \Windows\System32\wintrust.dll
0xFDAA0000 \Windows\System32\devobj.dll
0xFD930000 \Windows\System32\crypt32.dll
0xFD890000 \Windows\System32\comctl32.dll
0xFD850000 \Windows\System32\cfgmgr32.dll
0xFD840000 \Windows\System32\msasn1.dll
0x74DA0000 \Windows\SysWOW64\normaliz.dll

Processes (total 58):
0 System Idle Process
4 System
300 C:\Windows\System32\smss.exe
440 csrss.exe
508 C:\Windows\System32\wininit.exe
524 csrss.exe
572 C:\Windows\System32\services.exe
588 C:\Windows\System32\lsass.exe
596 C:\Windows\System32\lsm.exe
620 C:\Windows\System32\winlogon.exe
752 C:\Windows\System32\svchost.exe
812 C:\Windows\System32\nvvsvc.exe
852 C:\Windows\System32\svchost.exe
948 C:\Windows\System32\svchost.exe
988 C:\Windows\System32\svchost.exe
328 C:\Windows\System32\svchost.exe
936 C:\Windows\System32\svchost.exe
1092 C:\Windows\System32\svchost.exe
1184 C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
1196 C:\Windows\System32\nvvsvc.exe
1324 C:\Windows\System32\spoolsv.exe
1376 C:\Windows\System32\svchost.exe
1484 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
1536 C:\Windows\System32\svchost.exe
1624 C:\Program Files\Microsoft LifeCam\MSCamS64.exe
1632 C:\Windows\System32\taskhost.exe
1776 C:\Program Files (x86)\Norton AntiVirus\Engine\19.8.0.14\ccsvchst.exe
1792 C:\Windows\System32\dwm.exe
1852 C:\Windows\explorer.exe
1952 C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
1336 C:\Windows\System32\svchost.exe
1656 C:\Program Files (x86)\Norton AntiVirus\Engine\19.8.0.14\ccsvchst.exe
1844 C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
2680 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
2756 C:\Program Files\Microsoft LifeChat\LifeChat.exe
2764 C:\Program Files\Microsoft IntelliType Pro\itype.exe
2768 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
2420 C:\Program Files (x86)\Skype\Phone\Skype.exe
3024 C:\Program Files\Windows Sidebar\sidebar.exe
1944 C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
2964 C:\Windows\System32\SearchIndexer.exe
3180 C:\Program Files\Windows Media Player\wmpnetwk.exe
3464 C:\Windows\System32\svchost.exe
3572 C:\Windows\svchost.exe
3620 C:\Windows\System32\conhost.exe
1272 C:\Windows\servicing\TrustedInstaller.exe
3688 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3836 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3760 C:\Windows\System32\audiodg.exe
3568 WmiPrvSE.exe
2800 C:\Windows\System32\svchost.exe
2648 C:\Windows\System32\SearchProtocolHost.exe
3840 C:\Windows\System32\SearchFilterHost.exe
2256 C:\Program Files (x86)\Internet Explorer\iexplore.exe
2520 C:\Windows\System32\SearchProtocolHost.exe
3280 C:\Users\Owner\Desktop\MBRCheck.exe
3940 C:\Windows\System32\conhost.exe
3908 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)

PhysicalDrive0 Model Number: ST500DM002-1BD142, Rev: KC44

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

What I would like you to do is to go to Start > Control Panel > Administrative Tools > Computer Management > Then in the left pane click on Disk Management. When it opens expand it to fill the screen, then press Alt. Prnt Scrn , then go to your image editor , Paint will be fine if this is all you have and paste it in, save it to your desktop and then attach it in your next reply.

As requested, screenshot of disk management.

Hi,

The reason for all this is aswMBR shows a hidden partition and am just trying to determine if its infected. Are you experiencing any browser redirects or odd behavior once you boot your system ?

Download ListParts (http://download.bleepingcomputer.com/farbar/ListParts64.exe)

ListParts is a small utility that will create a log that contains a listing of all the hard drive partitions on your computer, which can then be posted on the forum that you are receiving help. This tool is useful for diagnosing rootkit infections that create additional hidden partitions on your computer.

Note: There are both 32-bit and 64-bit versions of GrantPerms available. Please pick the version that matches your operating system's bit type.

I am not experiencing any unwanted redirects or odd behavior after booting. One thing that I found odd is that sometimes the machine would hang mid- boot, before Windows would start. I would have to reset to get the computer to boot up.

Below is the log you requested.

ListParts by Farbar Version: 10-08-2012
Ran by Owner (administrator) on 05-09-2012 at 21:41:53
Windows 7 (X64)
Running From: C:\Users\Owner\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 57%
Total physical RAM: 2012.81 MB
Available physical RAM: 855.23 MB
Total Pagefile: 3990.81 MB
Available Pagefile: 2374.15 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:385.69 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 System Rese NTFS Partition 100 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Healthy Boot

======================================================================================================

****** End Of Log ******

Good Morning,

I believe your MBR is fine so lets move on. Spybot is trying to remove svchost which is a legit windows file, cant get by without it, but in your case its a virus. Its trying to remove it from the windows folder and the legit copy in the windows/system32 folder is fine and working.



Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Good afternoon!

I ran Combofix as directed, the log is below. I did not realize that Combofix would re-boot my computer, I set my anti-virus to reactivate on the next boot up. I hope that didn't interfere with Combofix.

ComboFix 12-09-06.02 - Owner 09/06/2012 17:33:42.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2013.890 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Norton AntiVirus *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\svchost.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-06 to 2012-09-06 )))))))))))))))))))))))))))))))
.
.
2012-09-06 21:40 . 2012-09-06 21:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-30 01:50 . 2012-08-30 01:50 -------- d-----w- c:\program files (x86)\ERUNT
2012-08-15 01:00 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2012-08-15 01:00 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-08-15 01:00 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-08-15 01:00 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-15 01:00 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2012-08-15 01:00 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-08-15 01:00 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-08-15 01:00 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-08-15 01:00 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-08-15 01:00 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-08-15 01:00 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 01:00 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 01:21 . 2012-04-13 23:54 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-15 01:21 . 2012-02-05 23:58 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-15 01:01 . 2012-02-05 22:17 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-06-09 05:43 . 2012-07-22 14:07 14172672 ----a-w- c:\windows\system32\shell32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-08-04 1353080]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-03-16 145408]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-02-05 1255736]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAVx64\1308000.00E\SYMDS64.SYS [2011-08-16 451192]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAVx64\1308000.00E\SYMEFA64.SYS [2012-05-22 1129120]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.5.1.2\Definitions\BASHDefs\20120905.001\BHDrvx64.sys [2012-08-31 1385120]
S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAVx64\1308000.00E\ccSetx64.sys [2012-06-07 167072]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.5.1.2\Definitions\IPSDefs\20120906.002\IDSvia64.sys [2012-09-06 513184]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAVx64\1308000.00E\Ironx64.SYS [2012-04-18 190072]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NAVx64\1308000.00E\SYMNETS.SYS [2012-04-18 405624]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 NAV;Norton AntiVirus;c:\program files (x86)\Norton AntiVirus\Engine\19.8.0.14\ccSvcHst.exe [2012-06-16 138272]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-08-13 3064000]
S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y62x64.sys [2010-04-07 290008]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-11 138912]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-06-24 56344]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [2010-12-13 36720]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 01:21]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-10 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-10 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-10 415256]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-09-14 11465832]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2008-08-21 380448]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
Notify-igfxcui - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NAV]
"ImagePath"="\"c:\program files (x86)\Norton AntiVirus\Engine\19.8.0.14\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files (x86)\Norton AntiVirus\Engine\19.8.0.14\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-06 17:51:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-06 21:51
.
Pre-Run: 413,229,256,704 bytes free
Post-Run: 413,033,586,688 bytes free
.
- - End Of File - - B949161586DF2E53D83A84BA7A458CF9

Great, svchost was removed

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

Good evening

I have run the ESET scan and the report is below.

Have a good night

C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm

Hi,

Open Spybot and go into the Recovery folder and just delete everything thats in there


ESET didn't find anything elsewhere and your scans are looking fine.

How is your system behaving now ?

Everything seems to be working fine, thanks. I re-booted and it didn't hang.

If this closes the thread, I would like to take this oppurtunity to thank you for your help.

Have a great weekend

Glad all is well, I usually keep a thread open for a day or so in case you have any questions or if you feel something returned , if after that time and this thread is closed you can PM me or an administrator to reopen it or just start a new topic.


We need to update your Java to keep you more secure

Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 7 Update 7, if not proceed with the instructions.
Go to the update Tab and update it
Then go to your Add Remove Programs (WIN XP) or Programs and Features (Vista / Win 7) in the Control Panel and uninstall all previous versions.


You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)




Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png




Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.


Any tools we used that where not removed you can just drag to the trash




How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken

Thanks again.

I have updated Java and removed the tools. Oddly enough, I did not have the update tab. I downloaded version 7 directly from Java. Now I have auto-updating again.

Was that due to the malware? Or operator error?

Operator error :) Thats what I tell my wife when she messes something up on her computer USER ERROR

hxxp://java.sun.com/update/1.6.0
Well what I can see is that your version of Java was very outdated and did not have the functionality that the newer versions have now, no problem, glad you got to update it.

Take Care,

Ken :)

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.