35 replies to this topic

[MrCharlie]

That's not the complete log.
Could you copy and paste the complete log back here, MrC

[moondog90]

Hello MrCharlie,
Many thanks for all your help. I have learned how to watch you service various people on this subforum.
You do the work of three people!

This will be my swan song. I have time to run one or two more programs for you and post the results.
Then I will have to return home and leave Mom's computer for about a month. I will read the forum but
will not be able to experiment on Mom's computer. So...

1. Tell me what you think of the ComboFix output.
2. Tell me what to run next and I will give you output before I go home.
3. Tell me your conclusions given all of the outputs taken together.

4. Later, read the short novel below and tell me later what you think of it (BestSeller? KeepTheDayJob?)


Something to Consider!

The detection of Trojan:Win32/Comisproc by Microsoft Security Essentials (MSE) may be a "false positive".
It is almost certainly "interference" between antiviruses. It may be "synergy" between AVs!

In my first post to this Forum, paragraph 5, I said:
"To help you understand better which version of comisproc [Mom] has, I will tell you what MSE says about it.
The trojan always hides in C:\Windows\Temp\_avast4_\ and has names like unp251129543.tmp".
This is according to the MSE History.

When I go to C:\Windows\Temp\_avast4_\ it is always empty. (OK I thought, so MSE has deleted it...)
If I delete the folder _avast4_ it comes back! What is creating and using the _avast4_ folder?
Avast is an antivirus I never installed. Under C:Program Files (x86)\Common Files\G Data\AVKScanP\
I find folders AdAware and Avast (containing a compressed folder of the Avast Engine).

I find processes running such as GDFirewallTray.exe (the G-Data Personal Firewall) and AVKTray.exe.
Holy Crap! A little research turns up that G-Data uses the Avast (and bitdefender) engines.
Ad-Aware Total Security (the version I have repeatedly mentioned that I use) is an OEM version of GDATA,
and uses the G-DATA engine! I am now pretty sure that Ad-Aware Total Security's "Personal Firewall" is not
Microsoft Firewall but is the G-Data Personal Firewall (hence the running process GDFirewallTray.exe).
Is G-Data Personal Firewall the same as Microsoft Firewall?

Well, Microsoft says not to use any other security tool with MSE. Mom bought her computer with Windows 7
pre-intalled. I did not even know what MSE was until it started reporting trojans. I installed Ad-Aware T. S.
because I use it on my XP computer at home and it finds more stuff than anything else I have tried.

So the question is: Is Ad-Aware finding a real Trojan:Win32/Comisproc, and putting it in the _avast4_ folder?
I believe this is the folder where Avast unpacks and scans files, so if Avast unpacks a file into that folder,
might it be discovered and deleted by MSE?
Or perhaps, is MSE seeing a "false positive" of something that the Ad-Aware real-time protection is putting
in the _avast4_ folder?

(When I command Ad-Aware to "scan the computer" it never finds any trojans. Ad-Aware real-time protection
comes on boot-up, but it scans only on command, no schedule. MSE scans on daily schedule.)

Should I un-install Ad-Aware and MSE and then re-install MSE (I am sure that is what Microsoft would say).
But is MSE capable of finding trojans without Ad-Aware's "help"? To answer this question read the next paragraph!

In #9, Posted 01 May 2012 - 07:26 PM, I say that MSE detected Trojan:JS/IframeRef on a website
whose name is similar to yours (www.malwarbytes.org). This is probably true, but the question remains:
did Ad-Adware (using the Avast engine) find it and then have it "stolen" from its scaning folder by MSE?
MSE reports the trojan found: C:\Windows\Temp\AvkHttp02EB1919.tmp (note, this one was in Temp not Temp\_avast4_)
I told MSE to exclude C:\Windows\Temp. Neither MSE nor Ad-Aware reported the trojan (Ad-Aware virus monitor set to
"query desired action", firewall: Auto, Normal Security). I removed the exclusion from MSE, and MSE again found it.
I disable Ad-Aware's "Web protection". Nobody finds the trojan. I re-enable Ad-Aware Web protection,
MSE finds the trojan! Synergy?

What do you make of that???



At the end of my post for DDS.attach you will see some entries for: "Error: Microsoft Antimalware [3002]".
This also sounds like a conflict between run-time protections. Ad-Aware and MSE? Solution?

[MrCharlie]

Quote

1. Tell me what you think of the ComboFix output.

You didn't post the complete ComboFix log, I sent you a PM and also posted a request in this thread.

Before we continue, I need to see the complete ComboFix log, MrC

[moondog90]

Hello MrCharlie,
Many thanks all your help. I have learned how to watch you service various people on the subforum.
You do the work of 3 people!

This will be my swan song. I have time to run one or two more programs and post the results. Then I will have to return home
and leave Mom's computer for about a month. I will read the forum but will not be able to experiment. So...

1. Tell me what you think of the ComboFix output.
2. Tell me what to run next and I will give the output before I go home.
3. Tell me your conclusions given all of the outputs taken together.

4. Later, read the short novel below and tell me what you think (BestSeller? KeepTheDayJob?)


Something to Consider!

The detection of Trojan:Win32/Comisproc by Microsoft Security Essentials (MSE) may be a false positive.
It is almost certainly "interference" between antiviruses. It may be "synergy" between AVs!

In my first post to this Forum, paragraph 5, I said:
"To help you understand better which version of comisproc [Mom] has, I will tell you what MSE says about it.
The trojan always hides in C:\Windows\Temp\_avast4_\ and has names like unp251129543.tmp".
This is according to the MSE History.

When I go to C:\Windows\Temp\_avast4_\ it is always empty. (OK I thought, so MSE has deleted it...)
If I delete the folder _avast4_ it comes back! What is creating and using the _avast4_ folder?
Avast is an antivirus I never installed. Under C:Program Files (x86)\Common Files\G Data\AVKScanP\
I find folders AdAware and Avast (containing a compressed folder of the Avast Engine).

I find processes running such as GDFirewallTray.exe (the G-Data Personal Firewall) and AVKTray.exe.
Holy Crap! A little research turns up that G-Data uses the Avast (and bitdefender) engines.
Ad-Aware Total Security (the version I have repeatedly mentioned that I use) is an OEM version of GDATA,
and uses the G-DATA engine! I am now pretty sure that Ad-Aware Total Security's "Personal Firewall" is not
Microsoft Firewall but is the G-Data Personal Firewall (hence the running process GDFirewallTray.exe).
Is G-Data Personal Firewall the same as Microsoft Firewall?

Well, Microsoft says not to use any other security tool with MSE. Mom bought her computer with Windows 7
pre-intalled. I did not even know what MSE was until it started reporting trojans. I installed Ad-Aware T. S.
because I use it on my XP computer at home and it finds more stuff than anything else I have tried.

So the question is: Is Ad-Aware finding a real Trojan:Win32/Comisproc, and putting it in the _avast4_ folder?
I believe this is the folder where Avast unpacks and scans files, so if Avast unpacks a file into that folder,
might it be discovered and deleted by MSE?
Or perhaps, is MSE seeing a "false positive" of something that the Ad-Aware real-time protection is putting
in the _avast4_ folder?

(When I command Ad-Aware to "scan the computer" it never finds any trojans. Ad-Aware real-time protection
comes on boot-up, but it scans only on command, no schedule. MSE scans on daily schedule.)

Should I un-install Ad-Aware and MSE and then re-install MSE (I am sure that is what Microsoft would say).
But is MSE capable of finding trojans without Ad-Aware's "help"? To answer this question read the next paragraph!

In #9, Posted 01 May 2012 - 07:26 PM, I say that MSE detected Trojan:JS/IframeRef on a website
whose name is similar to yours (www.malwarbytes.org). This is probably true, but the question remains:
did Ad-Adware (using the Avast engine) find it and then have it "stolen" from its scaning folder by MSE?
MSE reports the trojan found: C:\Windows\Temp\AvkHttp02EB1919.tmp (note, this one was in Temp not Temp\_avast4_)
I told MSE to exclude C:\Windows\Temp. Neither MSE nor Ad-Aware reported the trojan (Ad-Aware virus monitor set to
"query desired action", firewall: Auto, Normal Security). I removed the exclusion from MSE, and MSE again found the trojan.
I disable Ad-Aware's "Web protection". Nobody finds the trojan. I re-enable Ad-Aware Web protection,
MSE finds the trojan! Synergy?

What do you make of that???


At the end of my post for DDS.attach you will see some entries for: "Error: Microsoft Antimalware [3002]".
This also sounds like a conflict between run-time protections. Ad-Aware and MSE? Solution?

[moondog90]

ComboFix 12-05-03.02 - Mary 05/03/2012 12:43:42.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.3127 [GMT -7:00]
Running from: c:\users\Mary\Desktop\ComboFix.exe
AV: Ad-Aware Total Security *Disabled/Updated* {54ACC2FC-837E-E665-7A92-5352D560D5EF}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
FW: Ad-Aware Personal Firewall *Disabled* {6C9743D9-C911-E73D-51CD-FA672BB39294}
SP: Ad-Aware Total Security *Disabled/Updated* {EFCD2318-A544-E9EB-4022-6820AEE79F52}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-04-03 to 2012-05-03 )))))))))))))))))))))))))))))))
.
.
2012-05-03 19:52 . 2012-05-03 19:52 -------- d-----w- c:\users\Steve\AppData\Local\temp
2012-05-03 19:52 . 2012-05-03 19:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-03 19:52 . 2012-05-03 19:52 -------- d-----w- c:\users\Carol\AppData\Local\temp
2012-05-03 14:54 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C6D5769D-5EA5-4893-9BA6-D31C53F71099}\mpengine.dll
2012-05-03 00:13 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-02 06:38 . 2012-05-02 06:38 116016 ----a-w- c:\windows\system32\drivers\21426115.sys
2012-05-02 06:26 . 2012-05-02 06:26 116016 ----a-w- c:\windows\system32\drivers\62644338.sys
2012-05-02 03:11 . 2012-05-02 03:11 8766112 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-05-02 03:02 . 2012-05-02 03:11 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-01 17:44 . 2012-05-01 17:44 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-04-26 14:50 . 2012-04-26 14:50 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-04-26 14:50 . 2012-04-26 14:50 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-26 14:50 . 2012-04-26 14:50 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-04-16 10:22 . 2012-04-16 10:22 -------- d-----w- c:\users\Mary\AppData\Roaming\Malwarebytes
2012-04-16 10:22 . 2012-04-16 10:22 -------- d-----w- c:\programdata\Malwarebytes
2012-04-16 10:22 . 2012-05-01 20:40 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-16 10:22 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-14 23:58 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-14 23:58 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-04-14 23:58 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-14 23:58 . 2012-04-14 23:58 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2012-04-14 23:55 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-14 23:55 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-14 23:55 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-14 23:55 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-14 23:55 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-14 23:55 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-14 23:55 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-03 14:07 . 2011-10-13 20:08 106224 ----a-w- c:\windows\SysWow64\drivers\GRD.sys
2012-05-02 03:11 . 2011-10-12 18:00 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-21 03:44 . 2011-04-27 22:25 98688 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 03:44 . 2011-04-18 20:18 203888 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-02-26 18:17 . 2012-02-26 18:18 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0417F7A9-CE38-43E5-A3E9-CC79375849F0}\gapaengine.dll
2012-02-17 06:38 . 2012-03-17 00:29 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-17 00:29 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-17 00:29 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-17 00:29 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-14 19:09 . 2012-02-14 19:09 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-10 06:36 . 2012-03-17 00:29 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-17 00:29 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-02_19.42.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2012-05-03 19:07 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-05-02 19:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-05-02 19:11 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-05-03 19:07 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-05-02 19:11 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-05-03 19:07 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 03:09 . 2012-05-03 19:54 52898 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-05-03 19:54 48610 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-10-12 04:37 . 2012-05-03 19:54 12680 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-874174280-269866361-546167079-1000_UserData.bin
- 2011-06-13 00:18 . 2012-05-02 04:50 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-06-13 00:18 . 2012-05-03 14:00 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-04-23 20:49 . 2012-05-02 04:50 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-04-23 20:49 . 2012-05-03 14:00 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-05-03 14:00 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-05-02 04:50 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2012-05-03 05:28 95984 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2012-05-02 19:41 . 2012-05-02 19:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-05-03 19:52 . 2012-05-03 19:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-05-03 19:52 . 2012-05-03 19:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-05-02 19:41 . 2012-05-02 19:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-10-12 16:20 . 2012-05-03 19:03 243370 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2009-07-14 05:01 . 2012-05-03 19:52 317292 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-05-02 19:40 317292 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-10-12 18:07 . 2012-05-03 19:52 7070696 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-874174280-269866361-546167079-1000-12288.dat
+ 2011-10-12 07:53 . 2012-05-03 00:01 13616928 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-874174280-269866361-546167079-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-10-12 14940040]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
"QuickGammaLoader"="c:\program files (x86)\QuickGamma\QuickGammaLoader.exe" [2005-03-28 68096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Hotkey Utility"="c:\program files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe" [2011-01-19 620136]
"SAOB Monitor"="c:\program files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe" [2011-09-22 2536760]
"TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-09-23 5550984]
"G Data AntiVirus Tray Application"="c:\program files (x86)\Lavasoft\Ad-Aware Total Security\AVKTray\AVKTray.exe" [2010-06-30 981504]
"GDFirewallTray"="c:\program files (x86)\Lavasoft\Ad-Aware Total Security\Firewall\GDFirewallTray.exe" [2010-06-30 1550576]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 253088]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 GDBackupSvc;Ad-Aware Backup Service;c:\program files (x86)\Lavasoft\Ad-Aware Total Security\AVKBackup\AVKBackupService.exe [2010-06-30 911976]
R3 GDTunerSvc;Ad-Aware Tuner Service;c:\program files (x86)\Lavasoft\Ad-Aware Total Security\AVKTuner\AVKTunerService.exe [2010-06-30 1234896]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-26 129976]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [x]
S0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\DRIVERS\tdrpm273.sys [x]
S1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [x]
S1 gdwfpcd;G DATA WFP CD;c:\windows\system32\drivers\gdwfpcd64.sys [x]
S1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2011-10-13 3246040]
S2 AVKProxy;Ad-Aware Total Security Proxy;c:\program files (x86)\Common Files\G Data\AVKProxy\AVKProxy.exe [2010-06-30 1081384]
S2 AVKService;Ad-Aware Scheduler;c:\program files (x86)\Lavasoft\Ad-Aware Total Security\AVK\AVKService.exe [2010-06-30 412944]
S2 AVKWCtl;Ad-Aware Filesystem Monitor;c:\program files (x86)\Lavasoft\Ad-Aware Total Security\AVK\AVKWCtlX64.exe [2010-06-23 2170224]
S2 GREGService;GREGService;c:\program files (x86)\eMachines\Registration\GREGsvc.exe [2010-01-08 23584]
S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-12-12 290832]
S2 Live Updater Service;Live Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2011-01-31 244624]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-05-04 503080]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [x]
S3 GDFwSvc;Ad-Aware Personal Firewall;c:\program files (x86)\Lavasoft\Ad-Aware Total Security\Firewall\GDFwSvcx64.exe [2010-06-15 1954472]
S3 GDPkIcpt;GDPkIcpt;c:\windows\system32\drivers\PktIcpt.sys [x]
S3 GDScan;Ad-Aware Scanner;c:\program files (x86)\Common Files\G Data\GDScan\GDScan.exe [2010-06-30 624064]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 03:11]
.
2012-05-03 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\programdata\HP Photo Creations\MessageCheck.exe [2012-03-12 04:03]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-09 10060320]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
"Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2011-09-23 394832]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://emachines.msn.com
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://emachines.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\2xs1mble.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
.
**************************************************************************
.
Completion time: 2012-05-03 12:57:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-03 19:57
ComboFix2.txt 2012-05-02 20:14
ComboFix3.txt 2012-05-02 19:47
.
Pre-Run: 936,762,818,560 bytes free
Post-Run: 936,450,097,152 bytes free
.
- - End Of File - - 91E8F3365FDAEABA95D493EF447B9B20



Hope that is right. Sorry for the delay. I have no idea how a PM is supposed to signal me. I am registered on this forum by
my home email which is somehow inaccessible. I saw no postings after my first download of ComboFix. I looked at the forum
repeatedly after restarting my computer, etc. I had great difficulty typing anything in the reply box. I had to "reload" the box repeatedly. Finally, I saw a message about ComboFix output being incomplete. It flashed by. then I could not see it anymore.
Still cannot see it. Hope this clears up. What do you suggest?

[moondog90]

As far as I can see, this topic ends above with my incomplete Combofix output. What I think I replied on just before this was the beginning of a new topic with the same name. Where is it?

[moondog90]

All my previous replies after I entered the incomplete ComboFix output have disappeared. As far as I can see this topic ends with an incomplete combofix output and the reply I am now typing. I hope when this disappears, it will come out at the end of a new topic somewhere with some name. Please give me instructions by email at verwoert222@msn.com

[moondog90]

Oh. So we are on page 2? It is as simple as that? Why when I click on my topic on the subforum webpage does it send me to page 1 and allow me to type in the replybox at the end of page one?

[MrCharlie]

Please find these two files and upload them to VirusTotal for a free scan:

http://www.virustotal.com/

c:\windows\system32\drivers\21426115.sys
c:\windows\system32\drivers\62644338.sys

Let me know the results > Just copy back the url

You may have to enable hidden files to see them:

http://www.bleepingc...s-in-windows-7/


MrC

[moondog90]

I don't understand. Followed the procedure. All hidden files .sys etc are visible. I can follow the path
c:\Windows\system32\drivers\ and 21426115.sys is visible on Mom's computer. But when I follow the same path
by clicking on "choose file" in virustotal, the file is not visible and virustotal says "21426115.sys" "file not found",
if I click on "open".

[MrCharlie]

Do this instead:

Download aswMBR to your desktop.
http://public.avast....erek/aswMBR.exe
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

MrC

[moondog90]

aswMBR.txt is a normal txt file in notepad. I can highlight it and say "copy". I come to this reply box and right-click.
"paste" is not one of the options. I tried "reload" about 4 times. Are there any other options in the context box
such as "Back" or "reload" that you would like me to select?

[MrCharlie]

Go to edit > select all > edit > copy > come back to the forum > click "More Reply Options"
Now right click in the reply box and choose paste > now add reply

MrC

[moondog90]

Can't find "More Reply Options". Don't know where to look. Shouldn't have to.
My time is up. I must go home. I think Mom will be OK.
Starting tomorrow afternoon I may send you a personal message. We can communicate that way for a while.
I assume they are going to my email address of record. I will try to get that functioning.

In the meantime, I have a message for your webmaster:

My brain may be fried due to lack of sleep. I am not up to my usual genius I.Q.
However, you need to see your sub-forum website through the eyes of someone who has never used one before.

1. One should never have to "reload" a Reply box in the middle of a page (or anywhere else for that matter).
Especially from a context menu that one has not even been told exists. "Reload" what?

2. You should never display an empty Reply box at the end of a page. Especially one that can accept text that will appear,
not on the current page, but on the next page! Let's just stick with NEVER show an empty reply box at the bottom of a page.
End with the last reply (by either party) and display below that an arrow that says "Go to Next Page". This is not
rocket science. Perhaps all forums work like yours. In that case, they are all illogical and poorly designed!

[MrCharlie]

I have nothing to do with this forum, I just volunteer my time here and help people remove malware from their computers.


Good Luck......

MrC

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!