TR/Crypt.XPACK.Gen2 found

[Cypher]

Hi Gigihns.
Continue with the instructions below please.

Disable Avira anti-virus

• Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: )
• right click it-> untick the option AntiVir Guard enable.
• You should now see a closed, white umbrella on a red background (looks to this: )
• Note: Don't forget to re-enable it after the fix.

Next.

Download and Run ComboFix

• Please download ComboFix from one of the following links.
  
  Link 1.
  
  Link 2.
  
  **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  
• Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
• Double click on ComboFix.exe & follow the prompts
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Logs/Information to Post in your Next Reply

• ComboFix.txt.
• Please give me an update on your computers performance.

[Gigihns]

I don't know if this is a problem, but when combofix restarted my computer, Avira and Comodo became enabled (they were both disabled while combofix was working.) I disabled them again while combofix was creating the log and re-enabled them when the log was complete.



Here is the combo fix log:

ComboFix 11-02-26.02 - Compaq_Owner 02/27/2011 12:56:01.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.106 [GMT -6:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll
c:\windows\explorer(2).exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
.

2011-02-23 13:39 . 2011-02-23 14:12 -------- d-----w- c:\program files\ERUNT
2011-02-21 22:10 . 2011-02-21 22:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-21 22:10 . 2011-02-21 22:09 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-21 20:29 . 2011-02-21 20:29 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Avira
2011-02-21 19:53 . 2011-01-10 20:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-21 19:53 . 2011-01-10 20:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-21 19:53 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-02-21 19:53 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-02-21 19:42 . 2011-02-21 19:42 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-21 19:32 . 2011-02-21 20:46 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-02-21 19:27 . 2011-02-21 19:31 -------- d-s---w- c:\documents and settings\Administrator
2011-02-21 19:04 . 2011-02-21 19:04 -------- d-----w- c:\windows\system32\scripting
2011-02-21 19:04 . 2011-02-21 19:04 -------- d-----w- c:\windows\l2schemas
2011-02-21 17:32 . 2011-02-21 21:45 -------- d-----w- c:\windows\system32\NtmsData
2011-02-21 17:19 . 2011-02-21 17:19 -------- d-----w- c:\program files\Avira
2011-02-21 17:19 . 2011-02-21 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-02-21 17:12 . 2011-02-21 17:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-02-21 17:08 . 2011-02-21 17:08 -------- d-----w- c:\program files\COMODO
2011-02-21 17:07 . 2011-02-21 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-02-21 16:29 . 2011-02-27 18:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-02-21 16:29 . 2011-02-23 03:13 -------- d-----w- c:\program files\SpywareBlaster
2011-02-21 14:36 . 2011-02-21 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-02-21 14:36 . 2011-02-21 14:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-21 04:19 . 2004-08-04 05:08 25600 ----a-w- c:\windows\system32\drivers\usbser.sys
2011-02-21 04:19 . 2004-08-04 05:08 25600 ----a-w- c:\windows\system32\dllcache\usbser.sys
2011-02-21 03:46 . 2011-02-21 03:46 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IECompatCache
2011-02-21 03:45 . 2011-02-21 03:45 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE
2011-02-21 02:07 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-02-21 02:07 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-02-21 02:07 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-02-21 02:07 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-02-21 02:07 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-02-21 02:07 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-02-21 02:07 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-02-21 02:05 . 2001-08-17 19:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-02-21 02:05 . 2001-08-17 19:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2011-02-21 02:05 . 2011-02-21 02:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-02-21 02:04 . 2001-08-17 20:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-02-21 02:04 . 2001-08-17 20:02 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2011-02-21 01:57 . 2011-02-21 01:57 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache
2011-02-18 21:03 . 2011-02-18 21:05 -------- dc-h--w- c:\windows\ie8
2011-02-13 22:16 . 2011-02-13 22:16 -------- d-----w- c:\windows\Options
2011-02-13 21:56 . 2004-08-04 18:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-02-13 21:46 . 2011-02-13 21:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-21 19:08 . 2011-02-21 19:08 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\LocalContent\Attachments\devcon.exe
2011-02-21 19:08 . 2011-02-21 19:08 307200 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\pchnotify.exe
2011-02-21 19:07 . 2011-02-21 19:07 3072 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pchealthde.exe
2011-02-21 19:07 . 2011-02-21 19:07 159744 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
2011-02-21 19:07 . 2011-02-21 19:07 77824 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\FDIWrapper.dll
2011-02-21 19:07 . 2011-02-21 19:07 26572 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\INV16.dll
2011-02-21 19:07 . 2011-02-21 19:07 69632 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\msxmlwrapper.dll
2011-02-21 19:07 . 2011-02-21 19:07 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\ScDmi.dll
2011-02-21 19:07 . 2011-02-21 19:07 49152 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PCHI18N.dll
2011-02-21 19:07 . 2011-02-21 19:07 139264 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\ContentUpdater.exe
2011-02-21 19:07 . 2011-02-21 19:07 110592 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\DSAPI4.dll
2011-02-21 19:07 . 2011-02-21 19:07 98304 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PluginCtrl.dll
2011-02-21 19:07 . 2011-02-21 19:07 287310 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\HPBasicDetection.dll
2011-02-21 19:07 . 2011-02-21 19:07 69632 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\msxmlwrapper.dll
2011-02-21 19:07 . 2011-02-21 19:07 5632 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\GUI.dll
2011-02-21 19:07 . 2011-02-21 19:07 114688 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\ZipLib.dll
2011-02-21 19:07 . 2011-02-21 19:07 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pchapi.dll
2011-02-21 19:07 . 2011-02-21 19:07 434176 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\motivede.dll
2011-02-21 19:07 . 2011-02-21 19:07 315392 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\pchmsxml.dll
2011-02-21 19:07 . 2011-02-21 19:07 77824 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\WinVerifyTrust.dll
2011-02-21 19:07 . 2011-02-21 19:07 344064 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\api.dll
2011-02-21 19:07 . 2011-02-21 19:07 24576 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pcdapi.dll
2011-02-21 19:07 . 2011-02-21 19:07 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\util.dll
2011-02-21 19:07 . 2011-02-21 19:07 356352 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\client_motkt.dll
2011-02-21 19:07 . 2011-02-21 19:07 28672 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\InetWrap.dll
2011-02-21 19:07 . 2011-02-21 19:07 282624 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\clientutil52.dll
2011-02-21 19:07 . 2011-02-21 19:07 102400 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PCDrAccess.dll
2011-02-21 19:07 . 2011-02-21 19:07 49152 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\hwinv.dll
2011-02-21 19:07 . 2011-02-21 19:07 315392 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pchmsxml.dll
2011-02-21 19:07 . 2011-02-21 19:07 114688 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\asst_ui.dll
2011-02-21 19:07 . 2011-02-21 19:07 36864 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\gnu.dll
2011-02-21 19:07 . 2011-02-21 19:07 126976 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\SearchCtrl.dll
2011-02-21 19:07 . 2011-02-21 19:07 4096 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\winverifytrustwrapper.dll
2011-02-21 19:07 . 2011-02-21 19:07 212992 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\jsharpinterp.dll
2011-02-21 19:07 . 2011-02-21 19:07 307200 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\pchealthplugin.dll
2011-01-06 23:37 . 2011-01-06 23:37 94784 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-01-06 23:37 . 2011-01-06 23:37 27576 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-01-06 23:37 . 2011-01-06 23:37 239368 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-01-06 23:37 . 2011-01-06 23:37 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-12-29 07:42 . 2010-12-29 07:42 285480 ----a-w- c:\windows\system32\guard32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-16 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-14 278528]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"HPHUPD05"="c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2004-04-01 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2004-05-04 491520]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 176128]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-16 98304]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-01-18 2548552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2005-2-15 45056]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-5-10 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [1/6/2011 5:37 PM 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [1/6/2011 5:37 PM 27576]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/21/2011 1:53 PM 135336]
R3 acfva;acfva;c:\windows\system32\drivers\ACFVA32.sys [6/29/2007 3:54 PM 86656]
R3 dgcfltr;DGC Filter Driver;c:\windows\system32\drivers\ACFDCP32.sys [7/10/2007 1:29 PM 28928]
.
Contents of the 'Scheduled Tasks' folder

2011-02-27 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-04-01 04:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://shop.trendmicro.com/tmasy/eol.html?X=300&Y=300&WIDTH=690&HEIGHT=480
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-27 13:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1948)
c:\windows\system32\WININET.dll
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ALCXMNTR.EXE
c:\windows\AGRSMMSG.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
.
**************************************************************************
.
Completion time: 2011-02-27 13:13:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-27 19:13

Pre-Run: 136,717,635,584 bytes free
Post-Run: 136,824,524,800 bytes free

- - End Of File - - 497983499E8FC153F220AC953F1A9EBE

[Cypher]

Hi Gigihns.

I don't know if this is a problem

No thats ok don't worry about it.
Are you still getting alerts from Avira? let me know in your next reply.


Please download ATF Cleaner to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Next.

Disable Avira anti-virus

• Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: )
• right click it-> untick the option AntiVir Guard enable.
• You should now see a closed, white umbrella on a red background (looks to this: )
• Note: Don't forget to re-enable it after the below scan.

Next.

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Hold down Control then click on the following link to open a new window to ESET online scannner
• Then click on:
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Logs/Information to Post in your Next Reply

• ESET log.
• Please give me an update on your computers performance.

[Gigihns]

I have not received any more virus alerts from Avira. After running the ATF Cleaner, I noticed that the icon for Avira was missing from the system tray.
It could have been missing before that point, but I noticed it when the next step was to "disable Avira anti-virus" by right-clicking the icon in the tray. I could open Avira from my desktop, and it looked like it was running but I could not find a way to disable it. I finally restarted my computer and the icon returned in the tray and I then disabled Avira and ran the ESET scanner without any trouble.

Here's the ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=9fbfc3588dc6ee4d9f5b3a1780060181
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-02-28 12:35:51
# local_time=2011-02-27 06:35:51 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775145 100 93 0 34439429 0 0
# compatibility_mode=3073 16777213 80 75 448128 14907292 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=97245
# found=33
# cleaned=0
# scan_time=3672
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036612.dll Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036613.DLL Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036614.DLL Win32/Adware.FunWeb application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036615.DLL Win32/Toolbar.MyWebSearch.B application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036616.DLL Win32/Adware.FunWeb application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036617.DLL Win32/FunWeb application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036618.DLL Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036619.DLL Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036620.DLL Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036621.DLL Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036622.DLL Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036623.DLL Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036624.DLL Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036625.DLL Win32/Adware.FunWeb application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036626.SCR Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036627.DLL Win32/Toolbar.MyWebSearch.D application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036628.DLL Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036629.EXE Win32/Adware.FunWeb application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036630.DLL Win32/FunWeb application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036632.EXE Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036633.DLL Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036634.EXE Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036635.EXE Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036637.DLL Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036638.EXE Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036639.EXE Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036640.EXE Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036641.DLL Win32/Toolbar.MyWebSearch.K application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036642.EXE Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036643.DLL Win32/Toolbar.MyWebSearch.J application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036644.DLL Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036645.EXE Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP112\A0036646.DLL Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I

[Gigihns]

Avira is telling me to update...should I wait until we're through?

[Cypher]

Hi Gigihns.

I have not received any more virus alerts from Avira.

Excellent good work well done.

Avira is telling me to update...should I wait until we're through?

Yes you can go ahead and let it update.
What the ESET scan detected were infected system restore points, the instructions below will clean those up.
your latest set of logs appear to be clean!, if you are having no further problems you're good to go.

This is my general post for when your logs show no more signs of malware.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Time for some housekeeping

• Click on Start >> Run...
• Now type in ComboFix /Uninstall into the box and click OK.
• Note the space between the X and the /Uninstall, it needs to be there.
  

The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

Next.

OTC

Download OTC by Old Timer and save it to your Desktop. This tool will remove all the tools we used to clean your pc.

• Double-click OTC.exe
• Click the CleanUp! button
• Select Yes when the Begin cleanup Process? Prompt appears
• If you are prompted to Reboot during the cleanup, select Yes
• The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You can now delete any tools we used if they remain on your Desktop.

Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer
You can do that HERE

Read some information HERE On how to prevent Malware

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!

[Gigihns]

WooHoo!!! I can't thank you enough. I can't believe you fixed it that quickly! You're a hero!!!

So was it the virus that prevented the SP3 update from working? When I tried to update to SP3 last week, my computer would only work in safe mode and I eventually had to go to the last restore point to get it to work.

I will continue with all of the instructions.