"Threat detected" keeps popping out

**missuna** · 2012-02-01, 15:14

Hi, I have AVG Antivirus Free on my computer. Today I put a flash drive into my computer, and ever since "Threat detected" messages keep popping out! AVG allegedly solves the problem, but the messages still appear. Different threats appear: TR/Crypt.XPACK.Gen2, FakeAlert.AAN, Win32:Kryptik-GRM.

I hope someone can find the time and help me solve this. Thank you.

Here is my DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Run by Vera at 15:01:09 on 2012-02-01
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1919.880 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Vera\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Vera\Application Data\5A.tmp
C:\Documents and Settings\Vera\Application Data\5C.tmp
C:\WINDOWS\explorer.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mWinlogon: Taskman=c:\recycler\s-1-5-21-0243556031-888888379-781863308-0076\mp130982.exe
uWinlogon: Shell=c:\recycler\s-1-5-21-0243556031-888888379-781863308-0096\mp1lmq2.exe,explorer.exe,c:\recycler\s-1-5-21-0243556031-888888379-781863308-1830\zaberg.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\bh\BabylonToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\BabylonToolbarTlbr.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MsServer] msfun80.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IMJPMIG8.2] msime82.exe
mRun: [run32] c:\win\lsass.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\vera\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\vera\application data\dropbox\bin\Dropbox.exe
IE: &Search - ?p=ZJfox000
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: DhcpNameServer = 109.122.98.116 109.122.98.117
TCP: Interfaces\{45A941E4-AA9F-44E3-9543-B000319CB7A0} : NameServer = 192.168.1.1
TCP: Interfaces\{A68E082C-ADF4-42E4-968E-74EC661EF467} : DhcpNameServer = 109.122.98.116 109.122.98.117
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.0.6\ViProtocol.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\vera\application data\mozilla\firefox\profiles\8x5o44pc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4c88a663&v=7.008.031.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\vera\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.id - 605eb05100000000000000221575075b
FF - user.js: extensions.BabylonToolbar_i.hardId - 605eb05100000000000000221575075b
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15307
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1720:34:10
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=101292
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 MustekMA1908Driver;MustekMA1908Driver;c:\windows\system32\drivers\MA1908.SYS [2009-10-11 22528]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\10.0.6\ToolbarUpdater.exe [2012-1-28 909152]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-12-6 36864]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]
R3 FVDSCSI;FVDSCSI;c:\windows\system32\drivers\fvdscsi.sys [2008-12-6 72478]
S0 icpqhvzo;icpqhvzo; [x]
S0 vzipklc;vzipklc; [x]
S2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2003-1-17 28186]
S2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 TwonkyMedia;TwonkyMedia;c:\program files\nokia\nokia home media server\media server\twonkymedia.exe -serviceversion 0 --> c:\program files\nokia\nokia home media server\media server\TwonkyMedia.exe -serviceversion 0 [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 1025352]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 SNCT511;PC Camera (6005 CIF);c:\windows\system32\drivers\snct511.sys [2009-9-14 229376]
.
=============== Created Last 30 ================
.
2012-02-01 13:33:03 -------- d-----w- c:\program files\SpywareBlaster
2012-02-01 13:31:19 25088 ----a-w- c:\documents and settings\vera\application data\6B.tmp
2012-02-01 13:31:16 193 ----a-w- c:\documents and settings\vera\application data\6A.tmp
2012-02-01 13:31:14 193 ----a-w- c:\documents and settings\vera\application data\69.tmp
2012-02-01 13:31:13 193 ----a-w- c:\documents and settings\vera\application data\68.tmp
2012-02-01 13:31:11 25088 ----a-w- c:\documents and settings\vera\application data\67.tmp
2012-02-01 13:31:08 25088 ----a-w- c:\documents and settings\vera\application data\66.tmp
2012-02-01 13:31:06 25088 ----a-w- c:\documents and settings\vera\application data\65.tmp
2012-02-01 13:31:04 193 ----a-w- c:\documents and settings\vera\application data\64.tmp
2012-02-01 13:29:27 -------- d-----w- c:\documents and settings\all users\application data\XoftSpySE
2012-02-01 13:29:26 -------- d-----w- c:\program files\XoftSpySE6
2012-02-01 13:27:09 193 ----a-w- c:\documents and settings\vera\application data\5F.tmp
2012-02-01 13:27:07 25088 ----a-w- c:\documents and settings\vera\application data\5E.tmp
2012-02-01 13:27:05 25088 ----a-w- c:\documents and settings\vera\application data\5D.tmp
2012-02-01 13:27:04 25088 ----a-w- c:\documents and settings\vera\application data\5C.tmp
2012-02-01 13:27:01 193 ----a-w- c:\documents and settings\vera\application data\5B.tmp
2012-02-01 13:26:59 25088 ----a-w- c:\documents and settings\vera\application data\5A.tmp
2012-02-01 13:26:57 25088 ----a-w- c:\documents and settings\vera\application data\59.tmp
2012-02-01 13:26:16 193 ----a-w- c:\documents and settings\vera\application data\57.tmp
2012-02-01 13:26:10 193 ----a-w- c:\documents and settings\vera\application data\50.tmp
2012-02-01 13:26:08 193 ----a-w- c:\documents and settings\vera\application data\4C.tmp
2012-02-01 13:26:06 193 ----a-w- c:\documents and settings\vera\application data\49.tmp
2012-02-01 13:22:21 193 ----a-w- c:\documents and settings\vera\application data\37.tmp
2012-02-01 13:12:42 193 ----a-w- c:\documents and settings\vera\application data\19.tmp
2012-02-01 13:12:37 193 ----a-w- c:\documents and settings\vera\application data\18.tmp
2012-02-01 13:11:33 193 ----a-w- c:\documents and settings\vera\application data\15.tmp
2012-02-01 13:11:31 193 ----a-w- c:\documents and settings\vera\application data\14.tmp
2012-02-01 13:11:27 193 ----a-w- c:\documents and settings\vera\application data\13.tmp
2012-02-01 13:11:15 193 ----a-w- c:\documents and settings\vera\application data\10.tmp
2012-02-01 13:11:14 25088 ----a-w- c:\documents and settings\vera\application data\F.tmp
2012-02-01 13:11:11 193 ----a-w- c:\documents and settings\vera\application data\E.tmp
2012-02-01 13:10:46 25088 ----a-w- c:\documents and settings\vera\application data\D.tmp
2012-02-01 13:10:43 25088 ----a-w- c:\documents and settings\vera\application data\C.tmp
2012-02-01 13:08:49 193 ----a-w- c:\documents and settings\vera\application data\A.tmp
2012-02-01 13:08:42 193 ----a-w- c:\documents and settings\vera\application data\7.tmp
2012-02-01 13:06:09 25088 ----a-w- c:\documents and settings\vera\application data\4F.tmp
2012-02-01 13:06:07 25088 ----a-w- c:\documents and settings\vera\application data\4E.tmp
2012-02-01 13:05:38 193 ----a-w- c:\documents and settings\vera\application data\4D.tmp
2012-02-01 13:05:34 193 ----a-w- c:\documents and settings\vera\application data\4B.tmp
2012-02-01 13:05:33 193 ----a-w- c:\documents and settings\vera\application data\4A.tmp
2012-02-01 13:04:56 193 ----a-w- c:\documents and settings\vera\application data\44.tmp
2012-02-01 13:04:50 193 ----a-w- c:\documents and settings\vera\application data\40.tmp
2012-02-01 13:04:47 193 ----a-w- c:\documents and settings\vera\application data\3E.tmp
2012-02-01 13:03:51 193 ----a-w- c:\documents and settings\vera\application data\3D.tmp
2012-02-01 13:03:48 193 ----a-w- c:\documents and settings\vera\application data\3B.tmp
2012-02-01 13:03:47 193 ----a-w- c:\documents and settings\vera\application data\3A.tmp
2012-02-01 13:03:45 193 ----a-w- c:\documents and settings\vera\application data\39.tmp
2012-02-01 13:03:06 193 ----a-w- c:\documents and settings\vera\application data\35.tmp
2012-02-01 13:03:03 193 ----a-w- c:\documents and settings\vera\application data\33.tmp
2012-02-01 13:03:00 193 ----a-w- c:\documents and settings\vera\application data\31.tmp
2012-02-01 13:02:55 193 ----a-w- c:\documents and settings\vera\application data\2E.tmp
2012-02-01 13:02:34 193 ----a-w- c:\documents and settings\vera\application data\2D.tmp
2012-02-01 13:01:58 193 ----a-w- c:\documents and settings\vera\application data\1E.tmp
2012-02-01 13:01:56 193 ----a-w- c:\documents and settings\vera\application data\1B.tmp
2012-02-01 13:01:55 193 ----a-w- c:\documents and settings\vera\application data\1A.tmp
2012-02-01 12:55:23 193 ----a-w- c:\documents and settings\vera\application data\13E.tmp
2012-02-01 12:55:19 193 ----a-w- c:\documents and settings\vera\application data\13A.tmp
2012-02-01 12:55:18 193 ----a-w- c:\documents and settings\vera\application data\139.tmp
2012-02-01 12:55:16 193 ----a-w- c:\documents and settings\vera\application data\137.tmp
2012-02-01 12:53:58 193 ----a-w- c:\documents and settings\vera\application data\135.tmp
2012-02-01 12:53:57 193 ----a-w- c:\documents and settings\vera\application data\134.tmp
2012-02-01 12:53:54 193 ----a-w- c:\documents and settings\vera\application data\132.tmp
2012-02-01 12:53:51 193 ----a-w- c:\documents and settings\vera\application data\130.tmp
2012-02-01 12:53:49 193 ----a-w- c:\documents and settings\vera\application data\12F.tmp
2012-02-01 12:53:09 193 ----a-w- c:\documents and settings\vera\application data\121.tmp
2012-02-01 12:52:48 25088 ----a-w- c:\documents and settings\vera\application data\11E.tmp
2012-02-01 12:52:46 193 ----a-w- c:\documents and settings\vera\application data\11D.tmp
2012-02-01 12:52:45 193 ----a-w- c:\documents and settings\vera\application data\11C.tmp
2012-02-01 12:52:35 193 ----a-w- c:\documents and settings\vera\application data\117.tmp
2012-02-01 12:52:14 25088 ----a-w- c:\documents and settings\vera\application data\113.tmp
2012-02-01 12:51:47 25088 ----a-w- c:\documents and settings\vera\application data\10C.tmp
2012-02-01 12:51:45 193 ----a-w- c:\documents and settings\vera\application data\10B.tmp
2012-02-01 12:51:44 193 ----a-w- c:\documents and settings\vera\application data\10A.tmp
2012-02-01 12:50:53 25088 ----a-w- c:\documents and settings\vera\application data\104.tmp
2012-02-01 12:48:59 193 ----a-w- c:\documents and settings\vera\application data\D4.tmp
2012-02-01 12:48:34 25088 ----a-w- c:\documents and settings\vera\application data\D1.tmp
2012-02-01 12:48:28 193 ----a-w- c:\documents and settings\vera\application data\CE.tmp
2012-02-01 12:48:27 193 ----a-w- c:\documents and settings\vera\application data\CD.tmp
2012-02-01 12:48:05 193 ----a-w- c:\documents and settings\vera\application data\CC.tmp
2012-02-01 12:48:00 193 ----a-w- c:\documents and settings\vera\application data\C9.tmp
2012-02-01 12:47:36 193 ----a-w- c:\documents and settings\vera\application data\C6.tmp
2012-02-01 12:47:06 193 ----a-w- c:\documents and settings\vera\application data\C1.tmp
2012-02-01 12:45:53 193 ----a-w- c:\documents and settings\vera\application data\B8.tmp
2012-02-01 12:45:52 193 ----a-w- c:\documents and settings\vera\application data\B7.tmp
2012-02-01 12:45:48 193 ----a-w- c:\documents and settings\vera\application data\B5.tmp
2012-02-01 12:45:47 193 ----a-w- c:\documents and settings\vera\application data\B4.tmp
2012-02-01 12:45:46 193 ----a-w- c:\documents and settings\vera\application data\B3.tmp
2012-01-30 10:04:51 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-30 10:04:51 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-30 10:04:51 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-30 10:04:51 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
.
==================== Find3M ====================
.
.
============= FINISH: 15:02:18.04 ===============

I forgot the attachment.

**shelf life** · 2012-02-04, 16:14

hi missuna,

If you still need help you can do this for starters, because based on the log you do have malware on your machine:

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

**missuna** · 2012-02-05, 13:11

Hi shelf life,

Thank you for your reply. For some reason, I cannot open the link (Firefox can't find the server at www.malwarebytes.org.). Is there something else I can do? However, I will keep trying to open this page until I see your reply.

**shelf life** · 2012-02-05, 15:07

All I can reach is there support forum for some reason. Use this download link instead: link.

**missuna** · 2012-02-05, 20:51

Hi shelf life,

I downloaded Malwarebytes, did a scan (it detected 94 objects), restarted the computer, and here is the log now:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.05.01

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Vera :: VERA-CONTOURS [administrator]

Protection: Enabled

2/5/2012 3:51:53 PM
mbam-log-2012-02-05 (15-51-53).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 403639
Time elapsed: 2 hour(s), 8 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 10
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crystal Player (Trojan.FakeAlert.SecGen) -> Quarantined and deleted successfully.
HKCU\Software\SkyMedia (Adware.SkyMedia) -> Quarantined and deleted successfully.
HKCU\Software\MarketPrecision\DuhikiToolbar (Malware.Trace) -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\idgbn5xehg (Malware.Trace) -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\ESENT\Process\Adparatus (Adware.Adparatus) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.

Registry Values Detected: 4
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Worm.AutoRun) -> Data: C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0068\mtefq2.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0076\mp130982.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0056\mp18982.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0069\mmails2.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0076\mixhdg.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0016\mip982.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0096\mp1lmq2.exe,explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\zaberg.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MsServer (Worm.AutoRun) -> Data: msfun80.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|run32 (Trojan.Agent) -> Data: C:\Win\lsass.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|IMJPMIG8.2 (Trojan.Agent) -> Data: msime82.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 5
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell) -> Bad: (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0068\mtefq2.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0076\mp130982.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0056\mp18982.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0069\mmails2.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0076\mixhdg.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0016\mip982.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0096\mp1lmq2.exe,explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\zaberg.exe) Good: (Explorer.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL|CheckedValue (PUM.Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 4
C:\Program Files\SAVETUBEVIDEO.COM (Adware.SkyLab) -> Quarantined and deleted successfully.
C:\Program Files\SAVETUBEVIDEO.COM\SaveTubeVideo (Adware.SkyLab) -> Quarantined and deleted successfully.
C:\Program Files\SAVETUBEVIDEO.COM\SAVETUBEVIDEO\FF (Adware.SkyLab) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830 (Worm.AutoRun) -> Quarantined and deleted successfully.

Files Detected: 71
C:\Documents and Settings\Vera\Local Settings\Temp\_F.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\My Documents\Downloads\SoftonicDownloader_for_subtitle-workshop.exe (PUP.BundleOffer.Downloader.S) -> Quarantined and deleted successfully.
C:\Program Files\Crystal Player\Uninstall.exe (Trojan.FakeAlert.SecGen) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\msimg32.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\riched20.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
D:\Sa starog diska\40\PROGRAMI\!!! ZoneAlarm with Antivirus\!! SERIAL\ZA.keygen.exe (Riskware.Tool.CK) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\16.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\17.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\1F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\20.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\21.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\24.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\25.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\28.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\29.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\2A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\2B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\2C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\2F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\30.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\34.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\36.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\38.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\3C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\41.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\43.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\45.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\46.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\4E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\4F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\52.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\53.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\54.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\58.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\59.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\63.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\67.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\6B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\6E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\70.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\73.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\74.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\76.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\77.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\78.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\79.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Win\names.txt (Worm.AutoIT) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\crt.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{22116563-108C-42C0-A7CE-60161B75E508}.JOB (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\ufdata2000.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{810401E2-DDE0-454E-B0E2-AA89C9E5967C}.JOB (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\1.tmp (Trojan.Generic) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\2.tmp (Trojan.Generic) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\4.tmp (Trojan.Generic) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\5.tmp (Trojan.Generic) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\6.tmp (Trojan.Generic) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\8.tmp (Trojan.Generic) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vera\Application Data\9.tmp (Trojan.Generic) -> Quarantined and deleted successfully.
C:\Program Files\SAVETUBEVIDEO.COM\SAVETUBEVIDEO\K-Lite_CodecPack_640S.exe (Adware.SkyLab) -> Quarantined and deleted successfully.
C:\Program Files\SAVETUBEVIDEO.COM\SAVETUBEVIDEO\vcredist_x86.exe (Adware.SkyLab) -> Quarantined and deleted successfully.
C:\Program Files\SAVETUBEVIDEO.COM\SAVETUBEVIDEO\WinPcap_4_1_2.exe (Adware.SkyLab) -> Quarantined and deleted successfully.
C:\Program Files\SAVETUBEVIDEO.COM\SAVETUBEVIDEO\FF\tmp (Adware.SkyLab) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\Desktop.ini (Worm.AutoRun) -> Quarantined and deleted successfully.

(end)

**shelf life** · 2012-02-05, 22:50

hi,

Looks like MBAM remove quite a load. We will get one more download to use:

Please download TDSS Killer.exe and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C) as: TDSSKiller.2.7.9.0_05.02.2012_17.32.21_log (name, version#, date, time)
Please post the log report

**missuna** · 2012-02-06, 13:40

Hi,

I cannot download TDSS Killer, it won't open the link. I tried from some other websites, but I cannot open any of them.

**shelf life** · 2012-02-06, 22:56

ok.Lets go with combofix instead. Read through the guide first then download combofix and apply the directions on your own machine. Post the combofix log:

Guide to using Combofix

**missuna** · 2012-02-07, 14:03

Hi,

I am writing from a different computer now. I downloaded ComboFix, and when it started installing my computer froze (I attached a picture). It's been like this for 1 hour already. Even the clock on my computer froze.

What is my next step?

**shelf life** · 2012-02-08, 00:54

Go ahead and reboot your machine and this time while its rebooting tap the f8 key. You will be presented with several options to continue the boot.
When the option screen comes up chose the option: safe mode with networking. Log in to your normal account, once at the safe mode desktop try and run combofix again while you are in safe mode.

Thread: "Threat detected" keeps popping out

Thread Tools

Display

Posting Permissions