Free Malware Removal Forum

[map1000]

Had some problems with getting Trend I'net Security and Java6 to uninstall as per your earlier post. Still having problems with the Trend stuff, as you can see. It loves my machine. :-/ I did delete the others earlier, and got Java 6 this time. The Adobe reader I installed yesterday is version 9, the most recent according to their web site. Computer is not hanging (explore not responding) today. Also, instead of dozens of "undeliverable" emails (which I didn't send to begin with) returned in Hotmail today, there is only one.

Results of screen317's Security Check version 0.99.4
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG Free 9.0
Trend Micro Internet Security
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
HijackThis 2.0.2
CCleaner
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
WinPatrol winpatrol.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
Microsoft Security Essentials msseces.exe
BillP Studios WinPatrol WinPatrol.exe
Trend Micro BM TMBMSRV.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````


ComboFix 10-06-29.04 - map 06/30/2010 12:24:49.1.4 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3326.2168 [GMT -5:00]
Running from: c:\users\map\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gotomon.log
c:\windows\system32\st325866.dll
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-30 )))))))))))))))))))))))))))))))
.

2010-06-30 17:33 . 2010-06-30 17:33 -------- d-----w- c:\users\map\AppData\Local\temp
2010-06-30 17:00 . 2010-06-30 17:00 -------- d-----w- c:\program files\ERUNT
2010-06-30 00:58 . 2008-04-07 10:38 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-06-30 00:40 . 2010-06-30 00:44 -------- d-----w- c:\programdata\NOS
2010-06-30 00:40 . 2010-06-30 00:40 -------- d-----w- c:\program files\NOS
2010-06-30 00:40 . 2010-06-30 00:51 -------- d--h--w- c:\windows\AxInstSV
2010-06-29 18:06 . 2010-06-29 18:06 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-06-27 02:42 . 2007-05-06 22:11 94208 ----a-w- c:\windows\system32\stacsv.exe
2010-06-27 02:42 . 2007-04-10 23:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2010-06-27 02:41 . 2007-05-06 22:12 326656 ----a-w- c:\windows\system32\drivers\stwrt.sys
2010-06-27 02:41 . 2007-05-06 22:11 326144 ----a-w- c:\windows\system32\stcplx.dll
2010-06-27 02:41 . 2007-05-06 22:11 587776 ----a-w- c:\windows\system32\stapo.dll
2010-06-27 02:41 . 2007-05-06 22:10 244736 ----a-w- c:\windows\system32\stapi32.dll
2010-06-27 02:41 . 2010-06-27 02:41 -------- d-----w- c:\program files\SigmaTel
2010-06-25 23:59 . 2010-06-25 23:59 -------- d-----w- c:\program files\CCleaner
2010-06-25 23:57 . 2010-05-21 17:11 475648 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.scr
2010-06-25 23:57 . 2010-05-21 17:11 1061888 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.exe
2010-06-25 23:57 . 2010-06-29 12:07 -------- d-----w- c:\program files\MyDefrag v4.3.1
2010-06-24 09:22 . 2010-06-24 09:22 -------- d-----w- C:\rsit
2010-06-24 00:34 . 2009-11-25 17:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 00:34 . 2009-11-25 17:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 00:34 . 2009-11-25 17:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 00:34 . 2009-11-25 17:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 00:34 . 2009-11-25 17:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-24 00:34 . 2010-05-09 09:14 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-06-24 00:34 . 2010-05-09 09:14 417792 ----a-w- c:\windows\system32\msdri.dll
2010-06-24 00:34 . 2010-03-24 06:37 1286456 ----a-w- c:\windows\system32\ntdll.dll
2010-06-23 14:36 . 2010-06-30 15:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-23 02:34 . 2009-06-10 21:42 24 ----a-w- c:\users\map\AppData\Roaming\WinPatrol\Autoexec.bat
2010-06-23 02:34 . 2009-06-10 21:42 10 ----a-w- c:\users\map\AppData\Roaming\WinPatrol\Config.sys
2010-06-23 02:34 . 2010-06-23 02:34 -------- d-----w- c:\users\map\AppData\Roaming\WinPatrol
2010-06-23 02:34 . 2010-06-23 02:45 -------- d-----w- c:\program files\BillP Studios
2010-06-22 18:53 . 2010-06-22 18:53 388096 ----a-r- c:\users\map\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-10 23:58 . 2010-06-10 23:58 -------- d-----w- c:\programdata\IObit
2010-06-10 13:04 . 2010-06-10 13:04 -------- d-----w- C:\$AVG
2010-06-09 23:33 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 23:33 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-09 23:33 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 23:33 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 23:33 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-09 12:13 . 2010-06-09 12:13 -------- d-----w- c:\users\map\AppData\Local\Threat Expert
2010-06-09 07:27 . 2010-06-28 11:11 -------- d-----w- c:\program files\Spyware Doctor
2010-06-09 00:02 . 2010-06-09 00:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-09 00:02 . 2010-06-09 14:42 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-09 00:02 . 2010-06-09 00:02 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-09 00:02 . 2010-06-30 13:18 -------- d-----w- c:\windows\system32\drivers\Avg
2010-06-09 00:02 . 2010-06-09 14:42 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-09 00:00 . 2010-06-09 00:00 -------- d-----w- c:\program files\AVG
2010-06-08 23:59 . 2010-06-09 00:00 -------- d-----w- c:\programdata\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-30 15:56 . 2008-10-29 16:47 -------- d-----w- c:\program files\Trend Micro
2010-06-30 14:57 . 2008-05-02 14:16 6618 ----a-w- c:\users\map\AppData\Roaming\wklnhst.dat
2010-06-30 03:14 . 2009-12-27 04:48 97056 ----a-w- c:\users\map\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-30 00:57 . 2007-12-10 11:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-29 01:00 . 2007-12-10 11:36 -------- d-----w- c:\program files\Google
2010-06-29 00:56 . 2008-08-02 11:01 -------- d-----w- c:\program files\CoffeeCup Software
2010-06-29 00:36 . 2010-05-27 01:05 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-27 02:34 . 2007-12-10 11:14 -------- d-----w- c:\program files\Intel
2010-06-24 00:35 . 2009-04-10 06:13 -------- d-----w- c:\program files\Microsoft.NET
2010-06-23 14:24 . 2010-04-30 23:23 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-11 21:44 . 2009-11-27 06:50 -------- d-----w- c:\program files\Pando Networks
2010-06-11 21:40 . 2010-05-08 03:20 -------- d-----w- c:\programdata\Skype
2010-06-05 22:41 . 2008-06-03 00:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 11:05 . 2009-12-27 12:32 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2010-06-03 11:05 . 2010-05-19 11:56 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2010-06-01 17:37 . 2009-10-05 05:41 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-29 20:56 . 2010-05-29 20:56 48388 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-05-28 12:09 . 2010-04-30 23:25 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2010-05-28 12:09 . 2010-05-28 12:09 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2010-05-28 12:09 . 2009-12-25 11:10 588096 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-05-28 12:09 . 2010-01-29 11:49 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2010-05-26 22:34 . 2008-02-19 00:29 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-05-26 22:30 . 2007-12-10 11:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 17:43 . 2009-08-20 01:01 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-05-11 21:11 . 2008-02-13 09:17 -------- d-----w- c:\programdata\NVIDIA
2010-05-11 21:11 . 2010-02-07 03:18 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-11 21:03 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-11 20:48 . 2010-05-08 03:21 -------- d-----w- c:\users\map\AppData\Roaming\Skype
2010-05-11 13:06 . 2010-05-08 03:24 -------- d-----w- c:\users\map\AppData\Roaming\skypePM
2010-05-08 03:24 . 2010-05-08 03:24 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-04-30 23:25 . 2009-12-27 12:32 588096 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2010-04-30 23:25 . 2009-12-27 12:32 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2010-04-23 07:13 . 2010-05-26 02:40 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-03 23:27 . 2010-04-03 23:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 23:27 . 2010-04-03 23:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 23:27 . 2010-04-03 23:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 23:27 . 2010-04-03 23:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2002-08-01 00:55 . 2008-10-06 08:57 106 --sha-w- c:\windows\WSYS049.SYS
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-09 2065248]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"Task Catcher"="c:\program files\BillP Studios\Task Catcher\tasktrap.exe" [2006-08-15 140856]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-05-06 405504]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-10 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-10-10 00:57 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-10-10 20:46 69632 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 22:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-12-10 5632]
R3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [x]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-30 1343400]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-22 135664]
S0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-02-14 39472]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-06-09 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-06-09 242896]
S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2009-08-13 142352]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-06-09 916760]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-06-09 308064]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-26 189736]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2009-08-13 50192]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-08-13 36368]
S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2009-08-13 235024]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-22 00:03]

2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-22 00:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wowhead.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
FF - ProfilePath - c:\users\map\AppData\Roaming\Mozilla\Firefox\Profiles\sraf3hte.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wowhead.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-Pando Media Booster - c:\program files\Pando Networks\Media Booster\PMB.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-CNXT_MODEM_PCI_HSF - c:\program files\CONEXANT\CNXT_MODEM_PCI_HSF\UIU32m.exe
AddRemove-Fraps - c:\torrents\fraps\uninstall.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,ea,51,38,54,e1,5c,44,8f,09,b5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,ea,51,38,54,e1,5c,44,8f,09,b5,\

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.URL"

[HKEY_USERS\S-1-5-21-39228075-3906853669-2834664714-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{70CAB321-DA10-7FC5-B575-329EB7715C36}*]
"nanojjkkafliainpkpjandafiopb"=hex:6a,61,6a,6c,67,6d,61,6a,6d,6b,62,62,63,69,
63,61,69,6c,66,64,00,f6
"mahgmlkolchgjgnmmgglmbcine"=hex:6a,61,6b,6c,6e,6c,70,6a,69,6d,67,61,66,6c,70,
66,6e,70,68,68,00,f6
"abjfkmelgklfegpdpihgbbohopacaacgdn"=hex:64,62,67,61,6c,6e,64,65,61,65,69,69,
6e,6d,6a,67,64,64,64,63,6f,61,6a,62,6b,62,64,6c,61,6d,70,64,6f,66,6f,6e,68,\
"maiffjgbgagdifnbiafkpfjjed"=hex:64,62,62,67,6d,69,6a,70,6d,6d,64,68,64,64,63,
63,67,6e,68,65,6e,64,6a,69,70,6e,65,6e,6f,6d,61,63,67,67,6f,66,61,6b,6a,6e,\

[HKEY_USERS\S-1-5-21-39228075-3906853669-2834664714-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D8298EA5-9429-54C2-6D74-DAE329D339C9}*]
"malmnablccnkgemfkkblfafnhk"=hex:69,61,62,66,66,62,6f,63,6e,62,63,66,6e,70,61,
6e,6c,70,00,00
"nabmccakfhmnlfhekpopefkmcifd"=hex:6b,61,66,66,68,62,68,6a,6b,65,68,63,70,6e,
64,66,6c,61,66,61,66,6b,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-06-30 12:36:45
ComboFix-quarantined-files.txt 2010-06-30 17:36

Pre-Run: 103,145,598,976 bytes free
Post-Run: 103,120,379,904 bytes free

- - End Of File - - BF716A9339475DA38D83F3DDC5C7951E

[turtledove]

Hello map1000,

Thank you for logs.
Will be back as soon as possible. Good news about the email issue. We will get the Trend Security off there with the next fix.

turtledove

[turtledove]

Hello map1000,

I need you to submit a file for analysis please.

Set Your Computer to Show All Files/Folders.

• Click Start.
  
• Click My Computer (Computer in Vista/Win 7)..
  
• Select the Tools menu and click Folder Options.
  
• Select the View Tab.
  
• Under the Hidden files and folders heading, select Show hidden files and folders.
  
• Uncheck Hide protected operating system files (recommended).
  
• Click Yes to confirm.
  
• Uncheck the Hide file extensions for known file types.
  
• Click OK.

In addition, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

Next

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.


If you have trouble using Virustotal try jotti.org

Note: At times the Scanners can be busy, you may need to wait a bit and retry the scan.

Post
Scan Results
Any changes in system performance?

Thank you

turtledove

[turtledove]

Hello map1000,

**Please print out or Copy these instructions to Notepad, as you will have no internet during part of the Fix***
***Please carry out my instructions in my post above first if you haven't done so***


Step 1
Back Up registry with ERUNT

• Please use the following link and download ERUNT to your desktop. HERE
• Click on the erunt-setup.exe
• Follow the prompts to install ERUNT
• Choose language
• A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO
  
  
  
• Backup your registry to the default location

Note: To restore your registry (if needed), go to the folder and start ERDNT.exe



Step 2
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

1. Please open Notepad and copy/paste all the text below... into the window:

KILLALL::
FILE::
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\System32\drivers\tmcomm.sys
C:\Windows\System32\drivers\vsapint.sys
C:\Windows\System32\drivers\tmwfp.sys
C:\Windows\System32\drivers\tmxpflt.sys
C:\Windows\System32\drivers\tmlwf.sys
C:\Windows\System32\drivers\tmtdi.sys
C:\Windows\System32\drivers\tmactmon.sys
C:\Windows\System32\drivers\tmevtmgr.sys
C:\Windows\System32\drivers\tmpreflt.sys

ADS::
C:\ProgramData\TEMP:A8ADE5D8
C:\ProgramData\TEMP:DFC5A2B2

Folder::
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security
C:\ProgramData\IObit

Firefox::
FireFox -: - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17

Driver::
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\System32\drivers\tmcomm.sys
C:\Windows\System32\drivers\vsapint.sys
C:\Windows\System32\drivers\tmwfp.sys
C:\Windows\System32\drivers\tmxpflt.sys
C:\Windows\System32\drivers\tmlwf.sys
C:\Windows\System32\drivers\tmtdi.sys
C:\Windows\System32\drivers\tmactmon.sys
C:\Windows\System32\drivers\tmevtmgr.sys
C:\Windows\System32\drivers\tmpreflt.sys

REGNULL::
[HKEY_USERS\S-1-5-21-39228075-3906853669-2834664714-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{70CAB321-DA10- 7FC5-B575-329EB7715C36}*]
[HKEY_USERS\S-1-5-21-39228075-3906853669-2834664714-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D8298EA5-9429-54C2-6D74-DAE329D339C9}*]

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Post
Virus Total or Jotti Scan Results
C:\Combofix.txt
How your system is now

Thank you

turtledove

[map1000]

My OS is Windows 7. When I click on Start, there is a search box that appears at the bottom, in which you type a word or phrase to search for. There is no left pane, as you described below:

"When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked."

[turtledove]

Hello map1000,

My apologies, I forgot to correct a line in my post about that.

Please try the following instead:

Show Hidden/System Files
Open My Computer .
There should be Organize listed there.
Click Organize.. Click on Folder and Search Options...A new window will open..Click the View Tab.
select Show hidden files and folders
Uncheck Hide protected operating system files (recommended)
Click Yes to Confirm if asked.
Uncheck the Hide file extensions for known file types
Ok/Exit out


Next

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.


If you have trouble using Virustotal try jotti.org

Note: At times the Scanners can be busy, you may need to wait a bit and retry the scan.

Post
Scan Results
The new Combofix log from the above post
Any changes in system performance?

Thank you

turtledove

[Elrond]

Hi map1000.

I am taking over for turtledove who is taking a few days of vacation in connection with the Fourth of July.


Let's try to simplify the Virustotal upload.

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
>C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0<
Click Send.
If your computer asks if it is OK to send it or demands a Password the let ii send the file.
Please post the results of this scan to this thread.

[Elrond]

Due to lack of activity this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.