Vista Internet Security Virus?

February 28, 2010 at 12:29:24
Specs: Windows Vista Home Premium SP2, Intel Core2 Duo T5750@2.00GHz / 3GB
Hello all, like some users here, I've managed to pick up some kind of virus and I'm hoping someone can help. I keep getting messages in my tray box popping up saying things like:- 'System hijack!', 'Security breach!', "System danger!', "Tracking software found!', "Privacy Intrusion!" and 'Stealth intrusion!'. A box also pops up saying my pc is infected with 'Trojan-BNK.win32.keylogger.gen'. It then asked if I want to remove the problems, and then runs a scan and prompts me to purchase a version of Vista Security Center.

I'm currently running ESET NOD32 on the laptop affected and it supposedly quarantined the problem before I had to reboot (I got stuck in a loop where it was trying to install something and kept asking for my admin password, and every time I cancelled out of that, it again popped up asking for the admin password and the only way I seemed to be able to stop the loop was to "CTRL-ALT-DEL" and restart/shut down via the Task Manager, but it's still giving me the popups now that I rebooted.

Any assistance would be greatly appreciated, especially since ESET doesn't seem to be finding anything!

Thanks much in advance!


See More: Vista Internet Security Virus?

Report •

#1
March 1, 2010 at 19:27:03
You may need to download these to a cd, external drive, or usb drive and run it on the infected computer but first try to run it from the infected computer.

Please download Rkill from the following link.

Rkill

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. This link will help you disable them:

Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)

A black screen will appear and then disappear. Please do not worry, that is normal.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the malware . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the guide.

Do not reboot your computer after running rkill as the malware programs will start again. If you are asked to reboot by a tool we use then run Rkill after you have restarted the computer.

Download DDS and save it to your desktop.
DDS.scr


Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save both reports to your desktop then post them please.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Report •

#2
March 2, 2010 at 05:32:13
Ok, I tried running the rkill, but got a pop up message saying "windows cannot open this file :pev.rkexe" and I tried to go online to find the right program , but that comes up as an "unknown" file type.

For the DDS.scr :

DDS (Ver_09-12-01.01) - NTFSx86
Run by Standard at 8:13:10.98 on Tue 03/02/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2046 [GMT -5:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 3.0 *enabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\sttray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Users\Standard\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
uRun: [TOY5KNQ8OC] c:\users\standard\appdata\local\temp\Am4.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for gateway\traybar.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\standard\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-10-7 35168]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-3-13 472280]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-12-28 84832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-6-10 30192]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================


==================== Find3M ====================


============= FINISH: 8:17:30.30 ===============


and then the Attach :

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 6/10/2008 3:02:06 AM
System Uptime: 3/2/2010 8:01:21 AM (0 hours ago)

Motherboard: Gateway | |
Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | U2E1 | 2000/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 137 GiB total, 30.142 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 5.205 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {ff646f80-8def-11d2-9449-00105a075f6b}
Description: pcouffin device ...
Device ID: ROOT\PCOUFFIN\0000
Manufacturer:
Name: pcouffin device ...
PNP Device ID: ROOT\PCOUFFIN\0000
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 9.3
Agere Systems HDA Modem
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
BigFix
Bonjour
Browser Address Error Redirector
Camera Assistant Software for Gateway
Combined Community Codec Pack 2008-09-21 16:18
Comical 0.8
Compatibility Pack for the 2007 Office system
ConvertXtoDVD 2.2.3.258
CyberLink Power2Go
eFax Messenger
ESET NOD32 Antivirus
Gateway Games
Gateway Recovery Center Installer
Google Desktop
Google Toolbar for Internet Explorer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IDT Audio
ImgBurn
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 5
LabelPrint
Magic DVD Ripper V5.4.2
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
Microsoft .NET Framework 3.5 SP1
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.4)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Napster
Napster Burn Engine
Orbit Downloader
Pinnacle VideoSpin
Plato DVD Ripper Professional 6.66.14
QuickTime
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek USB 2.0 Card Reader
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Skype™ 3.8
SpywareBlaster 4.2
Synaptics Pointing Device Driver
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wmdiper
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wmdiper
TurboTax 2009 wrapper
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Windows Live Messenger
Windows Media Player Firefox Plugin
Windows System Scanner
WinRAR archiver
Xvid 1.2.1 final uninstall

==== End Of File ===========================


I ran the MBAM, and got this

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

3/2/2010 8:29:58 AM
mbam-log-2010-03-02 (08-29-58).txt

Scan type: Quick Scan
Objects scanned: 96951
Time elapsed: 4 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Sorry for the awfully long posting!

On a good note, the weird spyware "alert" messages have stopped - not sure which of the above stopped it, and Vista Internet Security 2010 isn't automatically popping up.



Report •

#3
March 2, 2010 at 16:35:28
You first need to go to add/remove programs and uninstall McAfee as it is still trying to run some files on your system. Then run the McAfee removal tool (MCPR.exe) from the provided link.

MCPR.exe

You need to update Java. Go to start> control panel> click the Java icon> update > update now and allow it to update. If there are any offers such as a toolbar uncheck the box when the prompt appears. The newest Java is version 6 update 18.

Please download Combofix from internet explorer instead of another browser if possible.

Remember..your ESET antivirus, Windows Defender, and Ad-Aware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

Related Solutions

#4
March 3, 2010 at 18:20:03
Ok, lets see -

McAfee is off the computer and I turned off the Windows Defender - I didn't realize that was even on my comp, so hopefully that didn't mess me up on the previous responses. I couldn't find the "Ad-Adware" in order to delete or disable it, so hope that doesn't mess up the results either.

One thing I was curious about - after combofix had run, it then seemed to have logged into the ADMIN account vice my standard one that I usually use when I'm puttering around on the laptop (All the icons on the desktop were from the Admin account and I couldn't see some of the files that are usually on the desktop from this account). I did have to reboot to get the internet connection back, but remembered to save the combofix log this time.

I'm also really confused right now since I did disable the ESET NOD32 - I'm staring at the red "disabled" notification right now (can I turn that back on now or should I just limit my internet connectivity on this laptop unless I'm posting log responses?), so I'm not sure why it's still showing up as "enabled" on the test results from the combofix. Here's the log you asked for :


ComboFix 10-02-27.04 - Kisaki 03/03/2010 20:45:33.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2106 [GMT -5:00]
Running from: c:\users\Standard\Desktop\virus stuff\Combo-Fix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 3.0 *enabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-710243377-3777013803-3809824090-500
c:\users\Kisaki\AppData\Roaming\inst.exe
c:\users\Standard\AppData\Local\av.exe
c:\windows\system32\stacsv.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-02 23:21 . 2010-03-02 02:10 38784 ----a-w- c:\users\Standard\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-02 12:51 . 2010-03-02 12:51 -------- d-----w- c:\users\Standard\AppData\Roaming\Malwarebytes
2010-03-02 02:20 . 2010-03-02 02:20 -------- d-----w- c:\users\Kisaki\AppData\Roaming\Malwarebytes
2010-03-02 02:20 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 02:20 . 2010-03-02 02:20 -------- d-----w- c:\programdata\Malwarebytes
2010-03-02 02:20 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 02:20 . 2010-03-02 02:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 02:11 . 2010-03-02 02:10 38784 ----a-w- c:\users\Kisaki\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-02 02:11 . 2010-03-02 02:10 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-02 02:10 . 2010-03-02 02:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-02 02:10 . 2010-03-02 02:10 -------- d-----w- c:\programdata\McAfee
2010-03-02 02:10 . 2010-03-02 02:10 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-03-02 02:10 . 2010-03-02 13:02 -------- d-----w- c:\programdata\NOS
2010-02-28 20:35 . 2010-02-28 21:14 -------- d-----w- c:\program files\SpywareBlaster
2010-02-28 19:09 . 2010-02-28 19:09 -------- d-----w- c:\users\Standard\AppData\Roaming\GrabPro
2010-02-28 18:43 . 2010-02-28 18:43 -------- d-----w- c:\users\Standard\AppData\Local\ESET
2010-02-24 00:31 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 00:30 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 00:30 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 00:30 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 00:30 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 00:30 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 00:30 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 00:30 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 00:30 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 00:30 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 00:30 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 00:30 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 00:30 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-18 22:45 . 2010-02-18 22:45 -------- d-----w- c:\users\Standard\AppData\Local\IsolatedStorage
2010-02-18 22:27 . 2010-02-18 22:27 -------- d-----w- c:\users\Kisaki\AppData\Local\IsolatedStorage
2010-02-10 17:12 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 17:12 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 17:12 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 17:12 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 17:12 . 2009-12-08 20:01 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 17:12 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-10 17:12 . 2009-12-04 18:29 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-10 17:11 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-10 17:11 . 2009-12-04 18:28 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-10 17:11 . 2009-12-04 18:28 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-10 17:11 . 2009-12-04 18:28 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-10 17:11 . 2009-12-04 18:28 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-10 17:11 . 2009-12-04 18:28 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-10 17:11 . 2009-12-04 18:28 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-10 17:11 . 2009-12-04 18:27 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-10 17:11 . 2009-12-04 15:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-10 17:11 . 2009-12-04 15:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 01:24 . 2008-06-10 07:28 -------- d-----w- c:\program files\Java
2010-03-04 01:22 . 2008-06-10 07:28 -------- d-----w- c:\program files\Common Files\Java
2010-03-04 01:21 . 2009-01-19 18:08 -------- d-----w- c:\users\Standard\AppData\Roaming\uTorrent
2010-03-02 13:02 . 2008-10-19 20:24 79560 ----a-w- c:\users\Kisaki\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-02 12:49 . 2008-11-28 14:13 -------- d-----w- c:\program files\ESET
2010-03-02 02:15 . 2008-06-10 07:22 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-28 05:00 . 2009-08-10 02:39 680 ----a-w- c:\users\Standard\AppData\Local\d3d9caps.dat
2010-02-24 19:50 . 2008-11-29 22:38 79560 ----a-w- c:\users\Standard\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 14:16 . 2009-10-03 03:52 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-18 22:25 . 2008-11-25 22:36 -------- d-----w- c:\program files\TurboTax
2010-02-10 21:14 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-25 17:58 . 2010-01-25 17:58 0 ----a-w- c:\users\Standard\AppData\Roaming\wklnhst.dat
2010-01-25 17:58 . 2010-01-25 17:58 -------- d-----w- c:\users\Standard\AppData\Roaming\Template
2010-01-06 15:38 . 2010-02-24 00:30 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 00:30 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 00:30 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 15:38 . 2010-02-24 00:30 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2009-12-29 00:04 . 2009-12-29 00:04 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-18 13:01 . 2010-01-22 09:35 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-17 22:14 . 2008-12-16 21:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 11:44 . 2010-01-22 09:35 834048 ----a-w- c:\windows\system32\wininet.dll
2009-12-07 18:15 . 2009-12-07 18:15 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2009-12-07 18:15 . 2009-12-07 18:15 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-11-13 18:30 . 2009-11-13 18:30 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-13 30192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp"="sttray.exe" [2007-09-07 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-30 1389904]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]

c:\users\Standard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2008-6-10 2342912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ec,34,9c,64,12,5c,ca,01

R1 epfwtdir;epfwtdir;c:\windows\System32\drivers\epfwtdir.sys [10/7/2009 9:18 AM 35168]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 4:49 PM 472280]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\drivers\ASPI32.SYS [12/28/2008 12:01 PM 84832]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/10/2008 2:27 AM 30192]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 5:25 AM 2589184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Kisaki\AppData\Roaming\Mozilla\Firefox\Profiles\hoggeevb.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 20:51
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-03-03 20:53:00
ComboFix-quarantined-files.txt 2010-03-04 01:52

Pre-Run: 16,041,861,120 bytes free
Post-Run: 24,490,840,064 bytes free

- - End Of File - - 263FA774960C15726FE98420F83E8D36


I really appreciate your patience - thanks again for working with me!


Report •

#5
March 3, 2010 at 21:47:03
Always turn you antivirus back on before you go online.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

Click I Agree to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click Click here to scan to begin the scan.
Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
When the scan is finished, click on Click here to export the scan results.
Save the report to your desktop so you can post it in your next reply.


Report •

#6
March 4, 2010 at 16:27:03
Will do ref the keeping ESET on when I'm online.
Here are the results, and it looks good "No infection found!"

Thank you again!


BitDefender QuickScan Beta 32-bit v0.9.9.8
------------------------------------------

Scan date: Thu Mar 04 19:23:27 2010
Machine ID: AA396882

No infection found.
---------------------


Processes
---------
<unsigned> BigFix 3392 C:\Program Files\BigFix\bigfix.exe
<unsigned> CEC_MAIN.exe 3648 C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
<unsigned> Chicony traybar 3204 C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
<unsigned> eFax Messenger (tm) 3380 C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
<unsigned> IDT Audio 3288 C:\Windows\sttray.exe

<verified> ESET Smart Security 3336 C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
<verified> Firefox 2916 C:\Program Files\Mozilla Firefox\firefox.exe
<verified> Google Desktop 3224 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
<verified> GoogleToolbarNotifier 3364 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
<verified> Intel(R) Common User Interface 2944 C:\Windows\System32\hkcmd.exe
<verified> Intel(R) Common User Interface 2952 C:\Windows\System32\igfxpers.exe
<verified> Intel(R) Common User Interface 3032 C:\Windows\system32\igfxsrvc.exe
<verified> Intel(R) Common User Interface 2936 C:\Windows\System32\igfxtray.exe
<verified> iTunes 3276 C:\Program Files\iTunes\iTunesHelper.exe
<verified> Java(TM) Platform SE Auto Updater 2 0 3240 C:\Program Files\Common Files\Java\Java Update\jusched.exe
<verified> Microsoft Office OneNote 3404 C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
<verified> Microsoft® Windows® Operating System 3512 C:\Windows\ehome\ehmsas.exe
<verified> Microsoft® Windows® Operating System 3352 C:\Windows\ehome\ehtray.exe
<verified> Microsoft® Windows® Operating System 2708 C:\Windows\Explorer.EXE
<verified> Microsoft® Windows® Operating System 2652 C:\Windows\system32\Dwm.exe
<verified> Microsoft® Windows® Operating System 2628 C:\Windows\system32\taskeng.exe
<verified> RAID Event Monitor 2960 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe


Network activity
----------------


Autoruns and critical files
---------------------------
<unsigned> Chicony traybar C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
<unsigned> eFax Messenger (tm) C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
<unsigned> Google Desktop c:\Program Files\Google\Google Desktop Search\googledesktopnetwork3.dll
<unsigned> IDT Audio C:\Windows\sttray.exe
<unsigned> QuickTime C:\Program Files\QuickTime\QTTask.exe
<unsigned> soft thinks Launcher C:\Windows\SMINST\launcher.exe

<verified> Adobe Acrobat C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
<verified> Adobe Reader and Acrobat Manager C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
<verified> ESET Smart Security C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
<verified> Google Desktop C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
<verified> GoogleToolbarNotifier C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
<verified> Intel(R) Common User Interface C:\Windows\System32\hkcmd.exe
<verified> Intel(R) Common User Interface C:\Windows\System32\igfxdev.dll
<verified> Intel(R) Common User Interface C:\Windows\System32\igfxpers.exe
<verified> Intel(R) Common User Interface C:\Windows\System32\igfxtray.exe
<verified> iTunes C:\Program Files\iTunes\iTunesHelper.exe
<verified> Java(TM) Platform SE Auto Updater 2 0 C:\Program Files\Common Files\Java\Java Update\jusched.exe
<verified> Malwarebytes' Anti-Malware C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
<verified> Microsoft® Windows® Operating System C:\Windows\ehome\ehtray.exe
<verified> Microsoft® Windows® Operating System C:\Windows\System32\browseui.dll
<verified> Microsoft® Windows® Operating System C:\Windows\System32\oobefldr.dll
<verified> Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
<verified> RAID Event Monitor C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
<verified> Synaptics Pointing Device Driver C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
<verified> Windows Defender C:\Program Files\Windows Defender\MSASCui.exe
<verified> Windows® Internet Explorer C:\Windows\System32\webcheck.dll


Browser plugins
---------------
<unsigned> Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
<unsigned> Browser Address Error Redirector c:\windows\system32\bae.dll
<unsigned> npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

<verified> AcroIEHelperShim Library c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
<verified> Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<verified> Adobe Acrobat C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
<verified> BitDefender QuickScan C:\Users\Standard\AppData\Roaming\Mozilla\Firefox\Profiles/w7ub7vye.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
<verified> BitDefender QuickScan C:\Users\Standard\AppData\Roaming\Mozilla\Firefox\Profiles/w7ub7vye.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified> Fast Search c:\program files\google\google toolbar\component\fastsearch_b7c5ac242193bb3e.dll
<verified> Google Toolbar for Internet Explorer c:\program files\google\google toolbar\googletoolbar_32.dll
<verified> GoogleToolbarNotifier C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
<verified> Grab Pro c:\program files\orbitdownloader\grabpro.dll
<verified> Java Deployment Toolkit 6.0.180.7 C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
<verified> Java(TM) Platform SE 6 U18 c:\program files\java\jre6\bin\jp2ssv.dll
<verified> Microsoft® Windows Media Player Firefox C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
<verified> Microsoft® Windows® Operating System C:\Windows\System32\mswsock.dll
<verified> Microsoft® Windows® Operating System C:\Windows\System32\NapiNSP.dll
<verified> Microsoft® Windows® Operating System C:\Windows\System32\nlaapi.dll
<verified> Microsoft® Windows® Operating System C:\Windows\System32\pnrpnsp.dll
<verified> Microsoft® Windows® Operating System C:\Windows\System32\winrnr.dll
<verified> Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> NPSWF32.dll C:\Windows\System32\Macromed\Flash\NPSWF32.dll
<verified> Orbitcth c:\program files\orbitdownloader\orbitcth.dll
<verified> Windows Presentation Foundation c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
<verified> Windows® Internet Explorer C:\Windows\System32\ieframe.dll


Missing files
-------------
File not found: C:\Users\Standard\AppData\Local\Temp\Am4.exe
referenced in: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"TOY5KNQ8OC"


Scan
----
<unsigned> MD5: e01c13132eff709187d45af6f4711f57 C:\Program Files\BigFix\bigfix.exe
<unsigned> MD5: d6ae5a9dc2a8d46864ee529d057bc97f C:\Program Files\BigFix\Lib\engine.dll
<unsigned> MD5: 22573d2ddb0c17c32a1019927446d289 C:\Program Files\BigFix\Lib\Inspectors\Inspect.dll
<unsigned> MD5: 0e3e56064e162ee9cc48698355098301 C:\Program Files\Bonjour\mdnsNSP.dll
<unsigned> MD5: cf38ebf06aeca9912c6a756aa6cb0421 C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
<unsigned> MD5: 97cb28f0dd031e5a4046e870a581b23c C:\Program Files\Camera Assistant Software for Gateway\ceccmdll.dll
<unsigned> MD5: 6a64d85b2d9b60e4da81de544e41c2bd C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
<unsigned> MD5: 9f6eedc57a79ab177f1ae6c85a951969 C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\ffdshow.ax
<unsigned> MD5: ca2f560921b7b8be1cf555a5a18d54c3 C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\msvcr71.dll
<unsigned> MD5: a54aac5e131ee45575986869c605be79 C:\Program Files\Combined Community Codec Pack\Filters\VSFilter.dll
<unsigned> MD5: e59cc8213abfe1b6c30ccc051a7cf058 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\iTunesMobileDevice.dll
<unsigned> MD5: e2a4a92a3d594f9de068c1bbebd6d58d C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
<unsigned> MD5: 686b224b4987c22b153fbb545fee9657 C:\Program Files\ESET\ESET NOD32 Antivirus\mfc80u.dll
<unsigned> MD5: b87279634826897af9c2fd986c4e50d4 C:\Program Files\Google\Google Desktop Search\GoogleDesktopAPI2.dll
<unsigned> MD5: 97ee34038653370cb3fe57e1f024a6ae C:\Program Files\Google\Google Desktop Search\GoogleDesktopCommon.dll
<unsigned> MD5: bf0a0d9d7bbbb8f894b4f7b49883aaaf C:\Program Files\Google\Google Desktop Search\GoogleDesktopHyper.dll
<unsigned> MD5: 66a96140e075617701be421ecabbba48 c:\Program Files\Google\Google Desktop Search\googledesktopnetwork3.dll
<unsigned> MD5: d9d7099cbb6cacdbc88ed27f28407457 C:\Program Files\Google\Google Desktop Search\GoogleDesktopResources_en.dll
<unsigned> MD5: 11a8da17a09784c2dc9143ecaedd5319 C:\Program Files\Google\Google Desktop Search\GoogleServices.dll
<unsigned> MD5: c0d0179784c543bdf297932fafa2bb20 C:\Program Files\Google\Google Desktop Search\gzlib.dll
<unsigned> MD5: 1ff6c24219df90a657737f31a448ead4 C:\Program Files\Intel\Intel Matrix Storage Manager\Iaamon_ENU.dll
<unsigned> MD5: c0e7898090d81772ea927e9a3c71817c C:\Program Files\Intel\Intel Matrix Storage Manager\ISDI.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> MD5: 2de7bc987ec12c2e7daf76466cdc296d C:\Program Files\iTunes\iTunesHelper.Resources\en.lproj\iTunesHelperLocalized.dll
<unsigned> MD5: 980d1e904e059139f075711ece5bdcb8 C:\Program Files\iTunes\iTunesHelper.Resources\iTunesHelper.dll
<unsigned> MD5: c51dc246068604b974202ce440b25ce1 C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<unsigned> MD5: b0b8ccd9f492247e012c1f8d0b3ba621 C:\Program Files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
<unsigned> MD5: 10923b9982625f4528b0706beb94cc0a C:\Program Files\Mozilla Firefox\freebl3.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> MD5: e36f134d37fb11d2d8a11041aadf9ef3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> MD5: 4101bdec4e6a49ef30437d3f8d67d39d C:\Program Files\Mozilla Firefox\softokn3.dll
<unsigned> MD5: 0777c0cd31441e876681443d09d4da5f C:\Program Files\QuickTime\QTSystem\QuickTime.qts
<unsigned> MD5: 0c070e8af645c3f8a0657cb3e1514069 C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.dll
<unsigned> MD5: bc2735d4bfea67cfc41ca26e1b4d0ab8 C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\QuickTime.dll
<unsigned> MD5: 9c9b6807425cef840c117654d8b033d1 C:\Program Files\QuickTime\QTTask.exe
<unsigned> MD5: 56f0188ebbdcf4d632611ed83d47f338 C:\Program Files\Samsung\Samsung PC Studio 3\FunConvFilter.ax
<unsigned> MD5: f11fe030158f8ef14a56a3ea9e9bd47d C:\Program Files\WinRAR\RarExt.dll
<unsigned> MD5: 7c8d84a7aea23cd018564e0a48e1c2ca C:\Windows\SMINST\launcher.exe
<unsigned> MD5: 485a4912b2d639694f836451a2b30435 C:\Windows\sttray.exe
<unsigned> MD5: 3467178ae878796650290ca54361c810 c:\windows\system32\bae.dll
<unsigned> MD5: e54e27976e2c5a6465d44c10b1d87ac0 C:\Windows\System32\DRIVERS\ASPI32.sys
<unsigned> MD5: 49470a4b2ebd85668be29efc6d2eb59c C:\Windows\System32\pvmjpg30.dll
<unsigned> MD5: f2b4a9d0d0e1fbf6cca824ea0a76ffc0 C:\Windows\System32\stlang.dll
<unsigned> MD5: 9090454e6772f7cfbce240bf4dc5f7e8 C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131\mfc80ENU.dll


No file uploaded.

Scan finished - communication took 2 sec
Total traffic - 0.05 MB sent, 2.49 KB recvd
Scanned 992 files and modules - 45 seconds


Report •

#7
March 4, 2010 at 17:52:35
Look good.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Driver::
TOY5KNQ8OC

Registry::
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"TOY5KNQ8OC" =-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

A little clean-up to do.

Delete DDS from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#8
March 4, 2010 at 18:37:53
Automated and Manually Removal Instructions for the Vista Internet Security 2010:
http://www.removespywareguides.com/how-to-remove-vista-internet-security-2010.html

Report •

#9
March 5, 2010 at 15:10:50
Yay!

Ok, here's the last log posting :

ComboFix 10-02-27.04 - Kisaki 03/05/2010 17:45:20.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2165 [GMT -5:00]
Running from: c:\users\Standard\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Standard\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 3.0 *enabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 22:50 . 2010-03-05 22:50 -------- d-----w- c:\users\Kisaki\AppData\Local\temp
2010-03-05 22:50 . 2010-03-05 22:50 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-05 22:50 . 2010-03-05 22:50 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-03-05 22:50 . 2010-03-05 22:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-05 00:23 . 2010-03-05 00:24 -------- d-----w- c:\users\Standard\AppData\Roaming\QuickScan
2010-03-05 00:23 . 2010-02-27 04:40 634616 ----a-w- c:\users\Standard\AppData\Roaming\Mozilla\Firefox\Profiles\w7ub7vye.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-03-05 00:23 . 2010-02-27 04:40 799440 ----a-w- c:\users\Standard\AppData\Roaming\Mozilla\Firefox\Profiles\w7ub7vye.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-03-02 23:21 . 2010-03-02 02:10 38784 ----a-w- c:\users\Standard\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-02 12:51 . 2010-03-02 12:51 -------- d-----w- c:\users\Standard\AppData\Roaming\Malwarebytes
2010-03-02 02:20 . 2010-03-02 02:20 -------- d-----w- c:\users\Kisaki\AppData\Roaming\Malwarebytes
2010-03-02 02:20 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 02:20 . 2010-03-02 02:20 -------- d-----w- c:\programdata\Malwarebytes
2010-03-02 02:20 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 02:20 . 2010-03-02 02:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 02:11 . 2010-03-02 02:10 38784 ----a-w- c:\users\Kisaki\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-02 02:11 . 2010-03-02 02:10 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-02 02:10 . 2010-03-02 02:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-02 02:10 . 2010-03-02 02:10 -------- d-----w- c:\programdata\McAfee
2010-03-02 02:10 . 2010-03-02 02:10 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-03-02 02:10 . 2010-03-02 13:02 -------- d-----w- c:\programdata\NOS
2010-02-28 20:35 . 2010-02-28 21:14 -------- d-----w- c:\program files\SpywareBlaster
2010-02-28 19:09 . 2010-02-28 19:09 -------- d-----w- c:\users\Standard\AppData\Roaming\GrabPro
2010-02-28 18:43 . 2010-02-28 18:43 -------- d-----w- c:\users\Standard\AppData\Local\ESET
2010-02-24 00:31 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 00:30 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 00:30 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 00:30 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 00:30 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 00:30 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 00:30 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 00:30 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 00:30 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 00:30 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 00:30 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 00:30 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 00:30 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-18 22:45 . 2010-02-18 22:45 -------- d-----w- c:\users\Standard\AppData\Local\IsolatedStorage
2010-02-18 22:27 . 2010-02-18 22:27 -------- d-----w- c:\users\Kisaki\AppData\Local\IsolatedStorage
2010-02-10 17:12 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 17:12 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 17:12 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 17:12 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 17:12 . 2009-12-08 20:01 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 17:12 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-10 17:12 . 2009-12-04 18:29 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-10 17:11 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-10 17:11 . 2009-12-04 18:28 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-10 17:11 . 2009-12-04 18:28 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-10 17:11 . 2009-12-04 18:28 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-10 17:11 . 2009-12-04 18:28 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-10 17:11 . 2009-12-04 18:28 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-10 17:11 . 2009-12-04 18:28 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-10 17:11 . 2009-12-04 18:27 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-10 17:11 . 2009-12-04 15:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-10 17:11 . 2009-12-04 15:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 01:24 . 2008-06-10 07:28 -------- d-----w- c:\program files\Java
2010-03-04 01:22 . 2008-06-10 07:28 -------- d-----w- c:\program files\Common Files\Java
2010-03-04 01:21 . 2009-01-19 18:08 -------- d-----w- c:\users\Standard\AppData\Roaming\uTorrent
2010-03-02 13:02 . 2008-10-19 20:24 79560 ----a-w- c:\users\Kisaki\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-02 12:49 . 2008-11-28 14:13 -------- d-----w- c:\program files\ESET
2010-03-02 02:15 . 2008-06-10 07:22 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-28 05:00 . 2009-08-10 02:39 680 ----a-w- c:\users\Standard\AppData\Local\d3d9caps.dat
2010-02-24 19:50 . 2008-11-29 22:38 79560 ----a-w- c:\users\Standard\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 14:16 . 2009-10-03 03:52 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-18 22:25 . 2008-11-25 22:36 -------- d-----w- c:\program files\TurboTax
2010-02-10 21:14 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-25 17:58 . 2010-01-25 17:58 0 ----a-w- c:\users\Standard\AppData\Roaming\wklnhst.dat
2010-01-25 17:58 . 2010-01-25 17:58 -------- d-----w- c:\users\Standard\AppData\Roaming\Template
2010-01-06 15:38 . 2010-02-24 00:30 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 00:30 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 00:30 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 15:38 . 2010-02-24 00:30 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2009-12-29 00:04 . 2009-12-29 00:04 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-18 13:01 . 2010-01-22 09:35 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-17 22:14 . 2008-12-16 21:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 11:44 . 2010-01-22 09:35 834048 ----a-w- c:\windows\system32\wininet.dll
2009-12-07 18:15 . 2009-12-07 18:15 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2009-12-07 18:15 . 2009-12-07 18:15 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-11-13 18:30 . 2009-11-13 18:30 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-13 30192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp"="sttray.exe" [2007-09-07 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-30 1389904]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]

c:\users\Standard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2008-6-10 2342912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ec,34,9c,64,12,5c,ca,01

R1 epfwtdir;epfwtdir;c:\windows\System32\drivers\epfwtdir.sys [10/7/2009 9:18 AM 35168]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 4:49 PM 472280]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\drivers\ASPI32.SYS [12/28/2008 12:01 PM 84832]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/10/2008 2:27 AM 30192]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 5:25 AM 2589184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Kisaki\AppData\Roaming\Mozilla\Firefox\Profiles\hoggeevb.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 17:50
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-03-05 17:52:03
ComboFix-quarantined-files.txt 2010-03-05 22:52
ComboFix2.txt 2010-03-04 01:53

Pre-Run: 37,465,788,416 bytes free
Post-Run: 37,437,313,024 bytes free

- - End Of File - - 24E168EE49D240A60841E365E1A9856E


DDS deleted,
ComboFix Uninstalled,
ATF Cleaner run
New Restore point established successfully, and Spyware Blaster running in the background!

Thanks again for such wonderful assistance! I REALLY appreciate it!

Have a great day!


Report •

#10
March 6, 2010 at 21:45:54
Vista Internet Security virus is a fake rogue spyware program. to remove it, follow the instructions withint his link
http://techvts.com/security/vista-i...

Report •

#11
March 6, 2010 at 21:47:57
Again, glad we could help.

Report •

Ask Question