W32.Ahlem.A@mm and/or a.exe

Status
Not open for further replies.
J

John Deas

New member
The problem is on my neighbour's Vista system, and seems to be "a.exe" and/or "W32.Ahlem.A@mm". Links, e.g in a Google search, are being diverted to different sites, and there are problems running and updating antivirus and spyware programs.

He had a McAfee trial system installed, which probably never got updated, also Spybot ditto. Trying to start the existing Spybot produced a message "Spybot is unable to run"; I uninstalled it and downloaded a new copy, but the installation fails when it tries to update files. I uninstalled McAfee and downloaded a new installation of AVG Free antivirus, which also fails to update.

Two preliminary questions, after reading your "Before you post" guidance:

1. The Erunt website says it is for NT/2000/XP - will it work with Vista, or is there another way to back up a Vista registry?

2. If I use a USB flash drive to carry HJT to his computer, and to carry logs back to mine for transmission, are there precautions I should take to prevent my system becoming infected?

3. Is there any point trying to update his newly installed Spybot with files from my (up-to-date) one? If so, which files? Note that my system is XP, his is Vista.

Regards,
John Deas
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You must have read and followed the "Before you Post" instructions, anything else will waste your time and mine.

Hi John, you have a "can of worms" here, I will provide what answers I can and we see if you want to proceed. Is the computer still under warranty? If so, they may wish to return it and have it reformated?

First the infection and I can not say that this is all:
W32.Ahlem.A@mm
http://www.google.com/search?hl=en&q=W32.Ahlem.A@mm&btnG=Google+Search&aq=f&oq=
http://www.symantec.com/security_response/writeup.jsp?docid=2003-051914-5016-99
W32.Ahlem.A@mm is a mass-mailing worm that is written in the Visual Basic (VB) language. The worm has been packed using the UPX run-time compression utility.

When the worm is executed, it attempts to email all the contacts in the Windows Address Book. The email will have the following characteristics:
Subject: Alert! SARS Is being Spread.
Attachment: a.exe
Click to expand...

They may wish to alerts folks in the address book.

The Erunt website says it is for NT/2000/XP - will it work with Vista
Click to expand...
The download site provided by the instructions is:
http://www.softpedia.com/get/Tweak/Registry-Tweak/Erunt-g.shtml
I see this in the instructions:
Size / OS: 773 KB / Windows NT / 2K / XP / 2003 / Vista
so it should work for Vista.

If I use a USB flash drive to carry HJT to his computer
Click to expand...
Hard to answer that one, suppose there is a file infector like Virut (infects .exe files among others) and I have no knowledge of that fact at this point. You might scan any file while it is still on the USB Flash Drive. Keep in mind also, we will need a large download (combofix) from the sound of things and it is 2.86 MB's in size.
Is there any point trying to update his newly installed Spybot with files from my (up-to-date) one?
Click to expand...
No, once the malware is removed he wil be able le to update and run Spybot S&D.

Hope that covers what you needed to know.

Thanks...Phil
 
HJT log

Thanks. Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:20:32, on 28/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [Apanel] C:\ACERSW\config\NewSetApanel.cmd
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MSFox] C:\Users\Tony\AppData\Local\Temp\a.exe
O4 - HKCU\..\Run: [Cognac] C:\Users\Tony\AppData\Local\Temp\~tmpd.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B89E525-B2FE-4E02-B769-D671257BBDE6}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8088 bytes
 
85.255.112.39 <<< criminals from the Ukraine, see this:
http://whois.domaintools.com/85.255.112.39

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks...Phil
 
More logs

Thanks for your clear instructions. Soon after Combofix started, it reported that it had detected rootkit activity and would need to reboot: it instructed me to write down the names of these two files:

C:\Windows\system32\drivers\gaopdxhkypmnit.sys
C:\Windows\system32\gaopdxxgtvoryj.dll

After rebooting it ran right through. Below I list:
-Combofix.txt
-hjt29-04.txt (HijackThis log)
-uninstall_list.txt

Regards, John Deas

ComboFix 09-04-28.05 - Tony 29/04/2009 14:38.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.767.279 [GMT 1:00]
Running from: c:\users\Tony\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\program files\freshplay
c:\program files\freshplay\Uninstall.exe
c:\program files\Mozilla Firefox\components\iamfamous.dll
c:\programdata\Microsoft\Windows\Start Menu\Programs\freshplay
c:\programdata\Microsoft\Windows\Start Menu\Programs\freshplay\Uninstall.lnk
c:\recycler\S-5-5-51-100027204-100023623-100032627-6279.com
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1383.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc144D.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1E3C.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc25F9.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2686.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2731.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc283B.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc28C7.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2992.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2A8C.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc33D.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc37E5.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3D7F.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3E88.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc40BA.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc426F.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc43B7.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc45D8.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc47FE.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4C8C.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4F6A.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc52C4.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5331.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5591.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc56D9.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5EC5.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc61C1.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc69FB.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc77E0.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc83B2.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8900.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8B9E.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8F37.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8F94.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc917.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9243.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc95CC.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc961A.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9723.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA0B7.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAE7A.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB02F.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB167.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB1F3.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB34A.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB750.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB82A.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBEEE.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC322.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCD.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCEA7.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCED5.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD3D5.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD828.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDA3B.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDA69.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDFD6.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE1F8.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE60D.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE9A5.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEA61.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEB1C.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF00.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF182.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF337.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFDA2.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFE2F.tmp
c:\users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFF38.tmp
c:\users\Tony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\freshplay
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\gaopdxhkypmnit.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxxgtvoryj.dll
D:\Autorun.inf
d:\recycler\S-5-5-51-100027204-100023623-100032627-6279.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 19:18 . 2009-04-28 19:18 -------- d-----w c:\program files\Trend Micro
2009-04-28 19:15 . 2009-04-28 19:15 -------- d-----w c:\program files\ERUNT
2009-04-27 15:41 . 2009-04-27 15:42 -------- d--h--w C:\$AVG8.VAULT$
2009-04-27 15:33 . 2009-04-27 15:33 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-27 15:33 . 2009-04-27 15:33 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-27 15:33 . 2009-04-27 15:33 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-27 15:33 . 2009-04-27 15:33 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-27 15:33 . 2009-04-27 15:33 -------- d-----w c:\program files\AVG
2009-04-27 15:33 . 2009-04-27 15:33 -------- d-----w c:\programdata\avg8
2009-04-27 15:33 . 2009-04-27 15:33 -------- d-----w c:\users\All Users\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 15:53 . 2008-11-27 14:45 -------- d-----w c:\program files\Spybot - Search & Destroy
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-03-05 06:38 121392 ----a-w c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2008-01-10 326176]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 526896]
"PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-01-26 204908]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-21 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-21 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-21 81920]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-06 57344]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-12-07 196128]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2008-08-28 1516032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-27 1932568]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-11 4702208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-16 535336]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{89EC6C5A-4AB0-4332-8222-0B151E8A8E96}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C318B0A4-B2D0-4D2E-9441-555DC11A8A75}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{479ECCE8-031F-4BCF-B7EB-31702685CE3A}"= c:\program files\Acer Arcade Live\Acer Arcade Live Main Page\Acer Arcade Live.exe:Acer Arcade Live
"{8E5AC746-02CF-4513-9F72-04A74B446FFC}"= c:\program files\Acer Arcade Live\Acer DVDivine\Acer DVDivine.exe:Acer DVDivine
"{92E72A5C-B72B-4379-94AE-F07E353CAB52}"= c:\program files\Acer Arcade Live\Acer HomeMedia\Acer HomeMedia.exe:Acer HomeMedia
"{31EB5216-7D72-4C17-8DF2-FA5B69B7869E}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Acer HomeMedia Connect.exe:Acer HomeMedia Connect
"{39863CA9-3184-4F99-9510-39E313EE846B}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.EXE:Acer HomeMedia Connect Service
"{94063567-A94D-492C-A5FE-C8A914B9B6F4}"= c:\program files\Acer Arcade Live\Acer SlideShow DVD\Acer SlideShow DVD.exe:Acer SlideShow DVD
"{6A4CAF56-9623-4AFA-854B-D47483B10A3B}"= c:\program files\Acer Arcade Live\Acer VideoMagician\Acer VideoMagician.exe:Acer VideoMagician
"{A95B326A-DD98-4550-8653-CE41D482B8FA}"= c:\program files\Acer Arcade Live\Acer HomeMedia Trial Creator\Acer HomeMedia Trial Creator.exe:Acer HomeMedia Trial Creator
"{70441C18-3E53-4EFF-B676-D2C732DCB557}"= c:\program files\Acer Arcade Live\Acer DV Magician\Acer DV Magician.exe:Acer DV Magician
"{D1D30318-EE90-437C-AF70-BD7C9775334E}"= Disabled:UDP:c:\users\Tony\AppData\Local\Temp\ImInstaller\incredimail_installer.exe:IncrediMail Installer
"{000F75D1-CCEB-429C-92D8-F27957182004}"= Disabled:TCP:c:\users\Tony\AppData\Local\Temp\ImInstaller\incredimail_installer.exe:IncrediMail Installer
"{EA020DDC-A2DF-4AA0-B1EF-333266854AAB}"= UDP:c:\program files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe:BT Broadband Desktop Help
"{E2A5A091-F388-4B6B-B47E-972FF2CC2F32}"= TCP:c:\program files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe:BT Broadband Desktop Help
"{A83085FD-3187-4AC7-961A-58813D172FA0}"= UDP:c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe:BT Broadband Desktop Help Notifier
"{866125DA-9987-4885-A4C0-8E4D3F0C6F8F}"= TCP:c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe:BT Broadband Desktop Help Notifier
"{A7B35555-77EB-435D-A1C6-47A80E7BACF8}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{31F0BC16-8F05-4F2A-86C3-CEB983F35340}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{834C2CF6-D6E7-4DA5-9671-865CFBFF0C16}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2007-07-16 30752]
R3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2006-09-19 80744]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-27 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-27 108552]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-01-26 269448]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-27 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-27 298264]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ca068d9-2da3-11dd-8d20-806e6f6e6963}]
\shell\AutoRun\command - E:\SETUP.EXE
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
HKLM-Run-Apanel - c:\acersw\config\NewSetApanel.cmd
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://bt.yahoo.com
mStart Page = hxxp://en.uk.acer.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Tony\AppData\Roaming\Mozilla\Firefox\Profiles\w1qqdv8l.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 14:43
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Tony\AppData\Local\Temp\gaopdx000 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\software\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"

[HKEY_USERS\software\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001

[HKEY_USERS\software\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe"

[HKEY_USERS\software\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10a.ocx, 1"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10a.ocx, 1"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_USERS\software\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"

[HKEY_USERS\software\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_USERS\software\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_USERS\software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=

[HKEY_USERS\software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@SACL=
@="Shockwave Flash"

[HKEY_USERS\software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@SACL=
@=""

[HKEY_USERS\software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@SACL=
@="FlashBroker"

[HKEY_USERS\system\ControlSet001\Services\gaopdxserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gaopdxjmvriryp.sys"

[HKEY_USERS\system\ControlSet002\Services\gaopdxserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gaopdxhkypmnit.sys"
"group"="file system"
.
Completion time: 2009-04-29 14:44
ComboFix-quarantined-files.txt 2009-04-29 13:44

Pre-Run: 128,998,486,016 bytes free
Post-Run: 129,330,335,744 bytes free

289 --- E O F --- 2009-02-16 18:56


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:52:28, on 29/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\notepad.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\Explorer.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Windows\system32\wuauclt.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 6231 bytes



Acer Arcade Live Main Page
Acer DV Magician
Acer DVDivine
Acer eDataSecurity Management
Acer Empowering Technology
Acer ePerformance Management
Acer eSettings Management
Acer GameZone Console DTV 2.0.1.1
Acer HomeMedia
Acer HomeMedia Connect
Acer HomeMedia Trial Creator
Acer ScreenSaver
Acer SlideShow DVD
Acer VideoMagician
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.3
Agatha Christie Death on the Nile
Alice Greenfingers
AVG 8.5
Azada
Backspin Billiards
Big Kahuna Reef
Bookworm Deluxe
Bricks of Egypt
BT Broadband Desktop Help
BT Wireless Connection Manager
BT Yahoo! Applications
BTHomeHub
Cake Mania
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
Chicken Invaders 3
Chuzzle
Diner Dash Flo on the Go
ERUNT 1.1j
eSobi v2
Flip Words 2
HijackThis 2.0.2
HP Customer Participation Program 9.0
HP Deskjet Printer Driver Software 9.0
HP Imaging Device Functions 9.0
HP Photosmart Essential 2.01
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPSSupply
Jewel Quest Solitaire
Kick N Rush
Mahjong Escape Ancient China
Mahjongg Artifacts
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB954430)
Mystery Case Files - Huntsville
Mystery Solitaire - Secret Island
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NVIDIA Drivers
Realtek High Definition Audio Driver
Turbo Pizza
Update for Office 2007 (KB934528)
Update for Office System 2007 Setup (KB929722)
Zuma Deluxe
 
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 10 ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Adobe Reader 8.1.3 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Mozilla Firefox (3.0.5) <<< update from within, newest version is (3.0.10)

Follow the instructions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks
 
Last edited:
Thanks again for your prompt response and clear instructions. On the HJT run, the second item you indicated,

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40

wasn't present. Otherwise everything went smoothly, and in the short play that I have had time to do the system seems to be running normally - I was able to update AVG Free and Spybot, and also Firefox and Adobe Reader. Not Flash yet - I'll do that tomorrow.

One oddity was that after all was done AVG's "Resident Shield" popped up saying that a number of files with names like C:\Users\Tony\Download\InstallAVg....exe were Trojans. I told it to get rid of them.

One question - is there likely to be any conflict between AVG Free's anti-malware functions and Teatimer, if both are running.

We now have AVG Free set to auto-update, also Windows, and I have told him to update Spybot and run it weekly, and to be very cautious about strange emails. Any more precautions I should explain to him?

Malware-bytes and HJT logs follow. Thanks again. John Deas



Malwarebytes' Anti-Malware 1.36
Database version: 2059
Windows 6.0.6001 Service Pack 1

29/04/2009 20:26:25
mbam-log-2009-04-29 (20-26-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 150165
Time elapsed: 1 hour(s), 48 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Program Files\freshplay\Uninstall.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Tony\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BD0GE27C\VirusRemover2008_Setup_Free_en[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Tony\Downloads\InstallAVg_77100106(5).exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Tony\Downloads\InstallAVg_77100106(2).exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Tony\Downloads\InstallAVg_77100106(3).exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Tony\Downloads\InstallAVg_77100106(4).exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Tony\Downloads\InstallAVg_77100106(6).exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Tony\Downloads\InstallAVg_77100106(7).exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Tony\Downloads\InstallAVg_77100106(8).exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Tony\Downloads\InstallAVg_77100106(9).exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Tony\Downloads\VirusRemover2008_Setup_Free_en(2).exe (Rogue.AntiSpywareSolutionPro) -> Quarantined and deleted successfully.
C:\Users\Tony\Downloads\VirusRemover2008_Setup_Free_en(3).exe (Rogue.AntiSpywareSolutionPro) -> Quarantined and deleted successfully.
C:\Users\Tony\Downloads\VirusRemover2008_Setup_Free_en(4).exe (Rogue.AntiSpywareSolutionPro) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32:56, on 29/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 6611 bytes
 
C:\Users\Tony\Download\InstallAVg....exe were Trojans.
Click to expand...
Not sure what that would have been, Google says this as a search result:
http://www.google.com/search?hl=en&q=InstallAVg&btnG=Google+Search&aq=f&oq=
I have a notion those items belong to this:
VirusRemover2008_Setup_Free_en[1].exe and it was rightly removed and quarantined by MBAM and in a rouge program.
One question - is there likely to be any conflict between AVG Free's anti-malware functions and Teatimer, if both are running.
Click to expand...
There should not be? Read the links I provide, I personally run Spybot S&D as an on demand scanner, but do not use TeaTimer, prefering SpywareGuard that you will read about.

Sorry about the Prefetch instructions:sad: does not apply to Vista.

Let's see if we can wrap up like this:

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png



Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, keep it updated and run it once a month or so)

Update AVG8 and scan the system, to be sure it is running right and scanning clean.
Some good AVG information:
FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/

If all is well at this point, let me know and I will close the topic.

Vista information:
http://www.netsquirrel.com/msconfig/msconfig_vista.html
Get maximum performance from Windows Vista
http://windowshelp.microsoft.com/windows/en-us/Help/596FB57F-CC9D-4AC5-A813-5C0830E9156A1033.mspx


(all information will not apply to Vista)
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
 
mostly clear, but...

MBAM ran clear, AVG8 ran clear; but when I ran Spybot it flagged four items under the heading Win32.TDSS.rtk, a typical one looking like:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSetoo1\Services\gaopdxserv.sys\modules\gaopdxl(SB$896E6905)Setup

(I don't guarantee to have copied that down exactly correct).

That reminds me that when I ran Combofix earlier, it reported that it had detected rootkit activity and would need to reboot: it instructed me to write down the names of these two files:

C:\Windows\system32\drivers\gaopdxhkypmnit.sys
C:\Windows\system32\gaopdxxgtvoryj.dll

...but didn't tell me to do anything about them.

Today when I told Spybot to fix the problem, it refused because I was not an administrator: I have since found that I should have right-clicked and chosen "run as administrator", which I will do tomorrow.

"Rootkit" sounds sinister: will Spybot be able to fix Win32.TDSS.rtk, or do I need something more?

Regards, and thanks,
John Deas
 
John, if you look at the combofix "Other Deletions" list, you will see these near the bottom:

C:\Windows\system32\drivers\gaopdxhkypmnit.sys
C:\Windows\system32\gaopdxxgtvoryj.dll

They were removed and quarantined by combofix, and removed from the computer when combofix was removed.

Spybot S&D should fix the other items it is finding when you are signed in properly. Let me know if this is not the case. Look like leftover registry entries from the malware, and the active malware is gone.

Thanks...Phil
 
All clear

Spybot says it has fixed them, you can close this thread. If anything more should come up, I'll start a new one. Many thanks, again, from me and my neighbour. Two more satisfied customers!

John Deas
 
Hey John, thanks for taking the time to let me know:bigthumb: safe surfing.

Phil
 
Status
Not open for further replies.
Back
Top