[TR/crypt.xdr.gen] and [WORM/yahoos.zv.1] Found by Avira.

[Nicolas01]

Hi Shelf Life,

Here is the DDL Log + attach :

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Nicolas at 21:43:08,90 on 08/03/2011
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6001.1.1252.33.1036.18.3070.2026 [GMT 1:00]
.
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Nicolas\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Désactivation du cookie publicitaire: {8e425eb4-adbd-4816-b1e8-49bb9decf034} - c:\program files\google\advertising cookie opt-out\opt_out.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\nicolas\appdata\roaming\mozilla\firefox\profiles\ehg1a77b.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-3-1 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\avira\antivir desktop\sched.exe [2011-3-1 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-1 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-1 56816]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2009-2-18 159744]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-12-25 97536]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr28.sys [2008-12-25 436224]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-3 136176]
.
=============== Created Last 30 ================
.
2011-03-07 22:10:48 -------- d-sh--w- C:\$RECYCLE.BIN
2011-03-07 22:10:45 -------- d-----w- c:\users\nicolas\appdata\local\temp
2011-03-07 22:00:54 98816 ----a-w- c:\windows\sed.exe
2011-03-07 22:00:54 89088 ----a-w- c:\windows\MBR.exe
2011-03-07 22:00:54 256512 ----a-w- c:\windows\PEV.exe
2011-03-07 22:00:54 161792 ----a-w- c:\windows\SWREG.exe
2011-03-07 22:00:43 -------- d-----w- C:\ComboFix
2011-03-07 21:54:53 -------- d-----w- c:\program files\Alex Feinman
2011-03-07 21:39:57 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2011-03-07 21:39:57 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2011-03-07 21:39:57 15360 ----a-w- c:\windows\system32\inetfr.DLL
2011-03-07 21:39:57 152848 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-03-07 21:39:57 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2011-03-07 21:39:57 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2011-03-07 21:39:57 115920 ----a-w- c:\windows\system32\msinet.OCX
2011-03-07 21:39:57 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-03-07 21:39:56 -------- d-----w- c:\users\nicolas\appdata\roaming\FreeBurner
2011-03-06 16:02:05 2730536 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-03-06 16:02:01 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{f73b0877-7293-4e45-99df-94e6710f6313}\mpengine.dll
2011-03-06 16:02:01 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2011-03-06 13:42:15 2048 ----a-w- c:\windows\system32\tzres.dll
2011-03-05 21:30:24 -------- d-----w- c:\program files\Ad-Remover
2011-03-04 19:24:59 2421760 ----a-w- c:\windows\system32\wucltux.dll
2011-03-04 19:24:50 87552 ----a-w- c:\windows\system32\wudriver.dll
2011-03-04 19:24:48 33792 ----a-w- c:\windows\system32\wuapp.exe
2011-03-04 19:24:48 171608 ----a-w- c:\windows\system32\wuwebv.dll
2011-03-04 10:32:26 -------- d-----w- c:\program files\trend micro
2011-03-03 19:09:59 -------- d-----w- c:\windows\PCHEALTH
2011-03-03 19:07:18 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-03-03 19:06:01 -------- d-----w- c:\users\nicolas\appdata\local\Microsoft Help
2011-03-03 18:37:04 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-03-03 18:37:02 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-03-03 18:36:49 -------- d-----w- c:\users\nicolas\appdata\roaming\DAEMON Tools Lite
2011-03-03 18:36:33 -------- d-----w- c:\progra~2\DAEMON Tools Lite
2011-03-03 18:09:18 -------- d-----w- c:\users\nicolas\appdata\local\Google
2011-03-02 21:12:54 -------- d-----r- c:\program files\Skype
2011-03-02 18:47:59 -------- d-----w- c:\users\nicolas\appdata\roaming\Imuwta
2011-03-01 20:48:11 -------- d-----w- c:\users\nicolas\appdata\roaming\Foxit Software
2011-03-01 20:35:47 -------- d-----w- c:\program files\Foxit Software
2011-03-01 20:20:22 -------- d-----w- c:\users\nicolas\appdata\roaming\Auslogics
2011-03-01 15:00:31 -------- d-----w- c:\users\nicolas\appdata\roaming\SUPERAntiSpyware.com
2011-03-01 15:00:31 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-03-01 14:59:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-01 14:47:48 -------- d-----w- c:\users\nicolas\appdata\roaming\Uniblue
2011-03-01 14:46:27 -------- d-----w- c:\program files\Auslogics
2011-03-01 12:59:46 -------- d-----w- c:\users\nicolas\appdata\local\Mozilla
2011-03-01 12:55:47 -------- d-----w- c:\program files\CCleaner
2011-02-28 23:26:33 -------- d-----w- c:\program files\Lavasoft
2011-02-28 23:11:42 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-28 23:11:41 -------- d-----w- c:\program files\Avira
2011-02-28 23:11:41 -------- d-----w- c:\progra~2\Avira
2011-02-28 23:09:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-28 23:09:59 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-02-28 23:09:06 -------- d-----w- c:\users\nicolas\appdata\roaming\Malwarebytes
2011-02-28 23:09:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-28 23:09:01 -------- d-----w- c:\progra~2\Malwarebytes
2011-02-28 23:08:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-28 23:08:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-28 22:58:43 -------- d-----w- c:\windows\pss
2011-02-28 22:54:48 -------- d-----w- c:\users\nicolas\appdata\local\Toshiba
2011-02-28 22:54:18 -------- d-----w- c:\users\nicolas\appdata\local\Adobe
.
==================== Find3M ====================
.
.
============= FINISH: 21:44:00,04 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Édition Familiale Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 01/03/2011 08:43:28
System Uptime: 08/03/2011 20:23:55 (1 hours ago)
.
Motherboard: MSI | | MS-1672
Processor: AMD Athlon(tm) X2 Dual-Core QL-62 | CPU 1 | 2000/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 44 GiB total, 19,637 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 0,879 GiB free.
E: is FIXED (NTFS) - 246 GiB total, 45,371 GiB free.
F: is CDROM ()
H: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
Ad-Remover par C_XX
Adobe Flash Player 10 Plugin
Agere Systems HDA Modem
Auslogics BoostSpeed
Avira AntiVir Personal - Free Antivirus
Bluetooth Stack for Windows by Toshiba
BurnRecovery
CCleaner
Foxit Reader
Google Désactivation du cookie publicitaire
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ISO Recorder
JMicron JMB38X Flash Media Controller
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (French) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (French) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove MUI (French) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office InfoPath MUI (French) 2007
Microsoft Office Language Pack 2007 - French/Français
Microsoft Office O MUI (French) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office OneNote MUI (French) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (French) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (French) 2007
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (French) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (French) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (French) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer MUI (French) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (French) 2007
Microsoft Office X MUI (French) 2007
Mozilla Firefox (3.6.14)
MSI Software Install
NVIDIA Drivers
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Skype™ 5.1
Spybot - Search & Destroy
SUPERAntiSpyware
System Control Manager
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
USB 2.0 Camera
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WinRAR archiver
.
==== End Of File ===========================


Merci beaucoup !

[shelf life]

hi,

ok good.

Since your machine appears to be malware free, now is the time to make a backup/restore CD like you did before. the first disk you made you may as well use as a coaster for your drinks. When you burn the new disk, chose a slow burn like 4X, if you have that option. I would burn two copies also. A slow burn is much safer for software transfers.

Your external drive we can assume may be infected. The problem with this is:
1) if you attach it via USB the malware may auto run/install to your clean computer. We can fix this. Not all malware will do this though.

2) Some malware tools wont scan a external drive. Iam pretty sure Malwarebytes, Spybot and your AV will scan your external drive

So in order to prevent a auto run you can use this utility:
here.
Even though i think that a fix (disable auto-run) for this was pushed out via a Windows update at some point, not sure about that. Use the Panda tool. Wont hurt.
After you run the Panda tool you should be able to attach the external drive and use what you can to scan it. Or you could attach it and then reformat it.
Of course you would lose everything thats on the drive. Up to you what you want to do.

[Nicolas01]

Hi shelf life,

Sorry I am a little slow to post the awnser, I'm quite busy these days.

Here is the DDS Log :

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Nicolas at 19:58:04,85 on 10/03/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6001.1.1252.33.1036.18.3070.2077 [GMT 1:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Nicolas\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Désactivation du cookie publicitaire: {8e425eb4-adbd-4816-b1e8-49bb9decf034} - c:\program files\google\advertising cookie opt-out\opt_out.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\users\nicolas\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\nicolas\appdata\roaming\mozilla\firefox\profiles\ehg1a77b.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-3-1 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\avira\antivir desktop\sched.exe [2011-3-1 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-1 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-1 61960]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2009-2-18 159744]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-12-25 97536]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr28.sys [2008-12-25 436224]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-3 136176]
.
=============== Created Last 30 ================
.
2011-03-10 13:52:23 -------- d-----w- C:\UsbFix
2011-03-10 13:30:31 -------- d-----w- c:\progra~2\open-config
2011-03-10 13:22:29 -------- d--h--w- C:\bdtmp
2011-03-09 13:56:52 -------- d-----w- c:\program files\ESET
2011-03-09 13:36:56 -------- d-----w- c:\users\nicolas\appdata\roaming\Avira
2011-03-09 13:30:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2011-03-09 13:29:58 378368 ----a-w- c:\windows\system32\winhttp.dll
2011-03-09 13:29:35 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-08 21:21:27 24064 ----a-w- c:\windows\system32\nshhttp.dll
2011-03-08 21:21:26 411136 ----a-w- c:\windows\system32\drivers\http.sys
2011-03-08 21:21:26 31232 ----a-w- c:\windows\system32\httpapi.dll
2011-03-08 20:54:50 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-03-08 20:52:53 72704 ----a-w- c:\windows\system32\admparse.dll
2011-03-08 20:50:00 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{5eaa7c66-804f-442f-af73-c77fc7ef84cf}\mpengine.dll
2011-03-07 22:10:48 -------- d-sh--w- C:\$RECYCLE.BIN
2011-03-07 22:10:45 -------- d-----w- c:\users\nicolas\appdata\local\temp
2011-03-07 22:00:54 98816 ----a-w- c:\windows\sed.exe
2011-03-07 22:00:54 89088 ----a-w- c:\windows\MBR.exe
2011-03-07 22:00:54 256512 ----a-w- c:\windows\PEV.exe
2011-03-07 22:00:54 161792 ----a-w- c:\windows\SWREG.exe
2011-03-07 22:00:43 -------- d-----w- C:\ComboFix
2011-03-07 21:54:53 -------- d-----w- c:\program files\Alex Feinman
2011-03-07 21:39:57 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2011-03-07 21:39:57 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2011-03-07 21:39:57 15360 ----a-w- c:\windows\system32\inetfr.DLL
2011-03-07 21:39:57 152848 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-03-07 21:39:57 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2011-03-07 21:39:57 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2011-03-07 21:39:57 115920 ----a-w- c:\windows\system32\msinet.OCX
2011-03-07 21:39:57 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-03-07 21:39:56 -------- d-----w- c:\users\nicolas\appdata\roaming\FreeBurner
2011-03-06 16:02:05 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-03-06 16:02:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-06 13:44:43 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2011-03-06 13:44:42 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2011-03-06 13:42:55 17920 ----a-w- c:\windows\system32\netevent.dll
2011-03-06 13:42:20 147456 ----a-w- c:\windows\system32\Faultrep.dll
2011-03-06 13:42:19 98304 ----a-w- c:\windows\system32\cabview.dll
2011-03-06 13:42:15 2048 ----a-w- c:\windows\system32\tzres.dll
2011-03-06 13:42:02 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2011-03-06 13:42:02 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-03-06 13:42:01 425472 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-03-06 13:29:14 1645568 ----a-w- c:\windows\system32\connect.dll
2011-03-06 13:29:09 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2011-03-05 23:23:18 81920 ----a-w- c:\windows\system32\iccvid.dll
2011-03-05 23:23:17 125952 ----a-w- c:\windows\system32\wersvc.dll
2011-03-05 23:23:10 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-03-05 23:21:43 98304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-03-05 23:21:01 1314816 ----a-w- c:\windows\system32\quartz.dll
2011-03-05 23:19:14 310784 ----a-w- c:\windows\system32\unregmp2.exe
2011-03-05 23:19:14 1418752 ----a-w- c:\program files\windows media player\setup_wm.exe
2011-03-05 23:19:12 7680 ----a-w- c:\windows\system32\spwmp.dll
2011-03-05 23:19:12 4096 ----a-w- c:\windows\system32\msdxm.ocx
2011-03-05 23:19:12 4096 ----a-w- c:\windows\system32\dxmasf.dll
2011-03-05 23:19:12 107520 ----a-w- c:\program files\windows media player\wmpshare.exe
2011-03-05 23:19:12 107520 ----a-w- c:\program files\windows media player\wmpconfig.exe
2011-03-05 21:30:24 -------- d-----w- c:\program files\Ad-Remover
2011-03-04 19:24:59 2421760 ----a-w- c:\windows\system32\wucltux.dll
2011-03-04 19:24:50 87552 ----a-w- c:\windows\system32\wudriver.dll
2011-03-04 19:24:48 33792 ----a-w- c:\windows\system32\wuapp.exe
2011-03-04 19:24:48 171608 ----a-w- c:\windows\system32\wuwebv.dll
2011-03-04 10:32:26 -------- d-----w- c:\program files\trend micro
2011-03-03 19:09:59 -------- d-----w- c:\windows\PCHEALTH
2011-03-03 19:07:18 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-03-03 19:06:01 -------- d-----w- c:\users\nicolas\appdata\local\Microsoft Help
2011-03-03 18:37:04 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-03-03 18:37:02 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-03-03 18:36:49 -------- d-----w- c:\users\nicolas\appdata\roaming\DAEMON Tools Lite
2011-03-03 18:36:33 -------- d-----w- c:\progra~2\DAEMON Tools Lite
2011-03-03 18:09:18 -------- d-----w- c:\users\nicolas\appdata\local\Google
2011-03-02 21:12:54 -------- d-----r- c:\program files\Skype
2011-03-02 18:47:59 -------- d-----w- c:\users\nicolas\appdata\roaming\Imuwta
2011-03-01 20:48:11 -------- d-----w- c:\users\nicolas\appdata\roaming\Foxit Software
2011-03-01 20:35:47 -------- d-----w- c:\program files\Foxit Software
2011-03-01 20:20:22 -------- d-----w- c:\users\nicolas\appdata\roaming\Auslogics
2011-03-01 15:00:31 -------- d-----w- c:\users\nicolas\appdata\roaming\SUPERAntiSpyware.com
2011-03-01 15:00:31 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-03-01 14:59:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-01 14:47:48 -------- d-----w- c:\users\nicolas\appdata\roaming\Uniblue
2011-03-01 14:46:27 -------- d-----w- c:\program files\Auslogics
2011-03-01 12:59:46 -------- d-----w- c:\users\nicolas\appdata\local\Mozilla
2011-03-01 12:55:47 -------- d-----w- c:\program files\CCleaner
2011-02-28 23:26:33 -------- d-----w- c:\program files\Lavasoft
2011-02-28 23:11:42 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-28 23:11:41 -------- d-----w- c:\program files\Avira
2011-02-28 23:11:41 -------- d-----w- c:\progra~2\Avira
2011-02-28 23:09:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-28 23:09:59 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-02-28 23:09:06 -------- d-----w- c:\users\nicolas\appdata\roaming\Malwarebytes
2011-02-28 23:09:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-28 23:09:01 -------- d-----w- c:\progra~2\Malwarebytes
2011-02-28 23:08:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-28 23:08:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-28 22:58:43 -------- d-----w- c:\windows\pss
2011-02-28 22:54:48 -------- d-----w- c:\users\nicolas\appdata\local\Toshiba
2011-02-28 22:54:18 -------- d-----w- c:\users\nicolas\appdata\local\Adobe
.
==================== Find3M ====================
.
2010-12-28 14:57:35 409600 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.
============= FINISH: 19:59:10,14 ===============


And the Attached Log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Édition Familiale Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 01/03/2011 08:43:28
System Uptime: 10/03/2011 17:43:47 (2 hours ago)
.
Motherboard: MSI | | MS-1672
Processor: AMD Athlon(tm) X2 Dual-Core QL-62 | CPU 1 | 2000/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 44 GiB total, 18,922 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 0,879 GiB free.
E: is FIXED (NTFS) - 246 GiB total, 45,374 GiB free.
F: is CDROM ()
H: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
Ad-Remover par C_XX
Adobe Flash Player 10 Plugin
Agere Systems HDA Modem
Auslogics BoostSpeed
Avira AntiVir Personal - Free Antivirus
Bluetooth Stack for Windows by Toshiba
BurnRecovery
CCleaner
ESET Online Scanner v3
Foxit Reader
Google Désactivation du cookie publicitaire
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ISO Recorder
JMicron JMB38X Flash Media Controller
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (French) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (French) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove MUI (French) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office InfoPath MUI (French) 2007
Microsoft Office Language Pack 2007 - French/Français
Microsoft Office O MUI (French) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office OneNote MUI (French) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (French) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (French) 2007
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (French) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (French) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (French) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer MUI (French) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (French) 2007
Microsoft Office X MUI (French) 2007
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.15)
MSI Software Install
NVIDIA Drivers
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Skype™ 5.1
Spybot - Search & Destroy
SUPERAntiSpyware
System Control Manager
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
USB 2.0 Camera
UsbFix By TeamXscript
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WinRAR archiver
.
==== End Of File ===========================


Thank you,

Good night,

Nico

[shelf life]

Sorry I am a little slow to post the awnser, I'm quite busy these days.

no problem. you already posted a new DDS log which looks ok

[Nicolas01]

Hi again Shelf Life,

I think I may be too tired tonight, I made a mistake for the last post : Actually I red your last advice on the first page of the topic and I just did the DDS Log without thinking... Sorry for this !


Ok concerning the USB and External Hard Drive I already looked on Malekal website (if you know it) and another program called "VaccinUSB was proposed and it successfully created the Autorun.inf and other files in "read only".

Plus, I desactivated the Autorun from windows with a tool called Open-Config (also proposed on Malekal website).

Also yes there is an update for windows vista (KB950582 to be precise) which normally disable Autorun but I didn't manage to install it already, I have to check the error.

And finally, I updated Avira to the 10th version and it appear that this version automatically block the Autorun.inf ! Unfortunately it doesn't make the difference between an infected autorun and a vaccinated one so it keeps sending me alerts concerning my devices, I think there is a setting to make.


Well, I also wanted to say a big thank you ! As I looked for help on this forum I realized the huge amount of volunteer experts like you who take a lot of time for helping unconscious (but not any more) web user like me. It's really impressive !

Ok, I hope I won't require any help any more !

Good night,

Nico

[shelf life]

hi Nico,

Looks like you have the "auto run" issue all under control. Dont forget to scan your external drive with your AV and antimalware, or to be totally safe reformat it. Up to you. Since you reinstalled you should visit Windows update or use the auto-update feature to make sure you are current.
Thanks for the kind words. Your welcome. This is one place i don't want to see people return to.

You can remove combofix like this;
start>run and type in
combofix /uninstall
click ok or enter
note the space after the x and before the /

If all is good you can make a new restore point; Why?

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

Turn system Restore off and reboot computer. (deletes old restore points)
Turn System Restore back on and reboot. (creates a new one)
From then on restore points will be created automatically by Windows

See link here Scroll down to: How do I turn system restore on or off?

And last everybody gets this:

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.

No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9)A slideshow on how to secure Internet Explorer Here. How to harden FireFox. for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. A file can be named anything, be nothing but malware or have malware bundled in it. Can you really trust the source of the file?


More info/tips with pictures, links below

Happy Safe Surfing.