124 replies to this topic

[Tomk]

Don't click on that "weird" icon. It was put there by the garbage we are trying to get rid of. As you have noticed... the malware tells you you are being hacked and might even list a bunch of other infections that it says you have and you need to pay them to clean it - but the truth is that it is the only thing you are infected with. It is what is known as Scareware. Good name huh? Besides the scary notices... it try's (and to some extent succeeds) to hide from the other tools. Most versions of this "thing" malwarebytes will kill if it can see it. That was why we ran Rkill, to try to allow Mbam to see it. Didn't work.

But... I'd like to try to run Malwarebytes' again... and this time I'd like you to be sure and select Full scan rather than quick scan. The difference, besides it taking longer to run, is that it will look in more places.

[compudodo]

ok...but i'll have to do this tomorrow....you forget i am an old lady...and i'm done in.....been on here since what? 2:30 or so? maybe even before that???? I am so tuckered out, my brain is fried, i get so nervous and upset my blood pressure spikes, i get nauseated and i have reached my limit for today... i'll do it tomorrow. i'm sorry...i just can't stay up for a full scan, it will take over a half hour...i know....when i got infected with that thing... i ran both the malware bytes and my full virus scan.... took well over half an hour.... i'll talk to you again tomorrow...thanks sweetie for hanging in there with me.... sorry i can't finish this up tonite. blessings, candice

[Tomk]

No worries. Get a good nights sleep. I've snuck home and had dinner myself. I'll be turning in before long myself.

[compudodo]

Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6304 Windows 6.1.7601 Service Pack 1 Internet Explorer 9.0.8112.16421 4/13/2011 1:08:09 PM mbam-log-2011-04-13 (13-08-09).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 261850 Time elapsed: 1 hour(s), 2 minute(s), 37 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) there you go...let me know when i can turn back on all my virus protection

[Tomk]

I'm not done torturing you yet.

Let's see if you can get ComboFix to run:

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[compudodo]

tom, i went into microsoft essentials yesterday and shut it down, but today i am getting a WARNING! SCREEN popping up telling me that: the above real time scanners are still active but Combofix will continue to run Kindly note this at your own risk. so i shut it off when the combo fix appeared..... but what did i do wrong? according to my microsoft essentials page, it is shut off and my machine is at risk, but this pop up screen said two items from microsoft essentials were still scanning. what should i do? and does that negate everything we did yesterday? cause if my security stuff wasn't turned off, then i could have gotten false positives

[Tomk]

Typically when you restart your computer, the Anti Virus program will also restart. Please go into MSSE and shut it down again before running ComboFix. If you find it is actually still off... then go ahead and run ComboFix anyway.

[compudodo]

no, it was still shut off, everything was still in RED in my microsoft essentials...ok, I'll run the combofix right now

[compudodo]

no, it was still shut off, everything was still in RED in my microsoft essentials...ok, I'll run the combofix right now

[compudodo]

ok.... don't know if it is still doing anything.... it did it's scanning to stage 50, then listed all the files it was deleting, and now it is just sitting there doing nothing with a cursor blinking under the one folder it deleted

[compudodo]

ComboFix 11-04-12.02 - cici 04/13/2011 18:13:21.1.2 - x86 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2812.2014 [GMT -4:00] Running from: c:\users\cici\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160} FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E} SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\programdata\Microsoft\Network\Downloader\qmgr0.dat c:\programdata\Microsoft\Network\Downloader\qmgr1.dat c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.drv c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\CLSV.exe c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\delfile.dll c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\energy.sys c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\FW.drv c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\gid.tmp c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\hymt.exe c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\pal.exe c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\PE.tmp c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\sld.drv c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\snl2w.tmp c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\std.dll c:\users\cici\AppData\Roaming\Microsoft\Windows\Recent\std.tmp c:\users\cici\AppData\Roaming\PCFix c:\users\cici\AppData\Roaming\PCFix\log.dat c:\users\cici\AppData\Roaming\PCFix\unresolvederrors.dat c:\windows\Downloaded Program Files\popcaploader.dll c:\windows\Downloaded Program Files\popcaploader.inf c:\windows\s.bat . ----- BITS: Possible infected sites ----- . hxxp://dibs.ddni.net . ((((((((((((((((((((((((( Files Created from 2011-03-13 to 2011-04-13 ))))))))))))))))))))))))))))))) . . 2011-04-13 22:26 . 2011-04-13 22:29 -------- d-----w- c:\users\cici\AppData\Local\temp 2011-04-13 22:26 . 2011-04-13 22:26 -------- d-----w- c:\users\Default\AppData\Local\temp 2011-04-13 16:09 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B5C3C1FA-D66D-40CC-B4AC-DAF4C74D99BB}\mpengine.dll 2011-04-13 16:01 . 2011-04-13 16:01 -------- d-----w- c:\users\cici\AppData\Local\{C64F3376-3DF3-4551-BB5E-CBE22AE7BA60} 2011-04-13 01:41 . 2011-04-13 01:41 -------- d-----w- C:\_OTM 2011-04-12 18:34 . 2011-04-12 18:34 -------- d-----w- c:\users\cici\AppData\Local\{D11A10B4-573C-4DD7-9FD4-E06EA917072F} 2011-04-11 22:12 . 2011-04-11 22:12 -------- d-----w- c:\users\cici\AppData\Local\{4434FC7A-B76B-49AC-872C-D361097D263B} 2011-04-11 00:11 . 2011-04-11 00:11 -------- d-----w- c:\users\cici\AppData\Local\{7978BE95-0D33-4A04-A2DD-6673B0B87ED4} 2011-04-09 16:06 . 2011-04-10 04:07 -------- d-----w- c:\users\cici\AppData\Local\{E69B056B-7B3A-4DCD-B8DD-C4947B25E2B2} 2011-04-08 14:15 . 2011-04-08 14:15 -------- d-----w- c:\users\cici\AppData\Local\{3F92FA22-95DB-406D-8BE1-E1AF086A76A8} 2011-04-08 02:14 . 2011-04-08 02:14 -------- d-----w- c:\users\cici\AppData\Local\{1CC52244-640A-45C6-A3B5-9FA7C252A1B4} 2011-04-07 15:18 . 2011-04-07 15:18 -------- d-----w- c:\users\cici\AppData\Local\{4450FBD8-CFE5-4168-BD5C-DA5CF04D9EA7} 2011-04-07 02:33 . 2011-04-07 02:33 -------- d-----w- c:\users\cici\AppData\Local\{5E93B8F3-56FE-453D-A49C-BDA5AA22A4EF} 2011-04-06 14:33 . 2011-04-06 14:33 -------- d-----w- c:\users\cici\AppData\Local\{35A57AD2-912F-4A60-AE2F-CB79B84F0186} 2011-04-05 22:11 . 2011-04-05 22:11 -------- d-----w- c:\users\cici\AppData\Local\{5C97E5D3-E8A0-410F-9D07-A7EE6AB3F2E6} 2011-04-05 15:38 . 2010-12-30 21:26 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7D074FAE-F067-4066-88C0-4D7D07A15E65}\gapaengine.dll 2011-04-04 11:40 . 2011-04-04 11:40 -------- d-----w- c:\users\cici\AppData\Local\{5C51381B-2337-4592-B773-DD7724C90923} 2011-04-03 10:37 . 2011-04-03 10:37 -------- d-----w- c:\users\cici\AppData\Local\{600E3012-AEC5-4966-BFEF-627F662CC2A6} 2011-04-02 22:37 . 2011-04-02 22:37 -------- d-----w- c:\programdata\NOS 2011-04-02 22:37 . 2011-04-02 22:37 -------- d-----w- c:\program files\NOS 2011-04-02 13:09 . 2011-04-02 13:09 -------- d-----w- c:\users\cici\AppData\Local\{CF4552CD-69B7-47F0-A805-90010A4481CC} 2011-04-02 01:08 . 2011-04-02 01:08 -------- d-----w- c:\users\cici\AppData\Local\{BA9D007D-B348-4FB9-AC9D-69903FFC5727} 2011-04-01 05:56 . 2011-04-01 05:56 -------- d-----w- c:\users\cici\AppData\Local\{D1B6E34A-3CC8-42DA-8755-BFDEE919BD3F} 2011-03-31 17:29 . 2011-03-31 17:29 -------- d-----w- c:\users\cici\AppData\Local\{68373B5F-97E7-49A5-93B3-E73F303B573E} 2011-03-31 08:26 . 2011-03-31 08:26 -------- d-----w- c:\users\cici\AppData\Local\{F618D4B9-7193-4737-9FEA-4439D55B064E} 2011-03-28 12:09 . 2011-03-28 12:09 -------- d-----w- c:\users\cici\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 2011-03-26 01:31 . 2010-12-30 21:26 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll 2011-03-23 08:21 . 2011-03-23 08:21 -------- d-----w- c:\windows\system32\SPReview 2011-03-23 08:12 . 2010-11-20 12:30 3966848 ----a-w- c:\windows\system32\ntkrnlpa.exe 2011-03-23 08:11 . 2010-11-20 12:24 194800 ----a-w- c:\windows\system32\drivers\fvevol.sys 2011-03-23 08:10 . 2010-11-20 12:19 271360 ----a-w- c:\windows\system32\iprtrmgr.dll 2011-03-23 08:09 . 2010-11-20 12:21 19968 ----a-w- c:\windows\system32\spopk.dll 2011-03-23 08:08 . 2010-11-20 12:21 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll 2011-03-23 08:08 . 2010-11-20 12:21 780288 ----a-w- c:\windows\system32\wbem\wbemcore.dll 2011-03-23 08:08 . 2010-11-20 12:21 363008 ----a-w- c:\windows\system32\wbemcomn.dll 2011-03-23 08:08 . 2010-11-20 12:19 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll 2011-03-23 08:08 . 2010-11-20 12:21 697344 ----a-w- c:\windows\system32\SmiEngine.dll 2011-03-23 08:08 . 2010-11-20 12:21 189952 ----a-w- c:\windows\system32\wdscore.dll 2011-03-23 08:08 . 2010-11-20 12:17 209920 ----a-w- c:\windows\system32\PkgMgr.exe 2011-03-23 08:07 . 2010-11-20 12:18 323072 ----a-w- c:\windows\system32\drvstore.dll 2011-03-23 08:07 . 2010-11-20 12:18 257024 ----a-w- c:\windows\system32\dpx.dll 2011-03-23 07:37 . 2011-01-17 05:47 161792 ----a-w- c:\windows\system32\d3d10_1.dll 2011-03-23 07:37 . 2010-11-20 12:18 219136 ----a-w- c:\windows\system32\d3d10_1core.dll 2011-03-23 07:33 . 2011-03-23 07:33 -------- d-----w- c:\users\cici\AppData\Local\ElevatedDiagnostics 2011-03-23 07:29 . 2011-03-23 07:29 -------- d-----w- c:\windows\system32\EventProviders 2011-03-20 05:36 . 2011-04-02 22:38 -------- d-----w- c:\program files\Google 2011-03-19 04:43 . 2011-02-18 21:28 69120 ----a-w- c:\windows\system32\zlcomm.dll 2011-03-19 04:43 . 2011-02-18 21:28 104448 ----a-w- c:\windows\system32\zlcommdb.dll 2011-03-19 04:42 . 2011-02-18 21:28 1238528 ----a-w- c:\windows\system32\zpeng25.dll 2011-03-19 04:42 . 2011-03-19 04:43 -------- d-----w- c:\windows\system32\ZoneLabs 2011-03-19 04:42 . 2010-05-15 20:30 461400 ----a-w- c:\windows\system32\drivers\vsdatant.sys 2011-03-19 04:42 . 2011-03-19 04:42 -------- d-----w- c:\program files\Zone Labs 2011-03-19 04:39 . 2011-03-19 04:39 -------- d-----w- c:\programdata\CheckPoint 2011-03-19 04:39 . 2011-04-13 21:50 -------- d-----w- c:\windows\Internet Logs 2011-03-15 23:03 . 2011-03-15 23:03 -------- d-----w- c:\program files\Common Files\Java . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-23 08:45 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll 2011-03-15 04:05 . 2010-12-31 16:15 6792528 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-03-12 16:44 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2011-02-19 06:30 . 2011-03-09 10:00 805376 ----a-w- c:\windows\system32\FntCache.dll 2011-02-19 06:30 . 2011-03-09 10:00 1076736 ----a-w- c:\windows\system32\DWrite.dll 2011-02-19 06:30 . 2011-03-09 10:00 739840 ----a-w- c:\windows\system32\d2d1.dll 2011-02-03 05:54 . 2011-02-08 20:22 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys 2011-02-03 01:40 . 2011-01-03 23:16 472808 ----a-w- c:\windows\system32\deployJava1.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc] @="{771C7324-DA80-49D3-8017-753B0AF60951}" [HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}] 2010-04-20 06:30 1410400 ----a-w- c:\windows\System32\IcnOvrly.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760] "Google Update"="c:\users\cici\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-12-31 136176] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-02 98304] "cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe" [2010-03-10 496184] "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-12-03 35184] "IdeaNotesUser"="c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe" [2009-08-24 221872] "VeriFaceManager"="c:\program files\Lenovo\VeriFace\PManage.exe" [2010-04-20 3122528] "UCam_Menu"="c:\program files\Lenovo\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504] "YouCam Mirror Tray icon"="c:\program files\Lenovo\YouCam\YouCamTray.exe" [2009-12-22 167008] "UpdateP2GShortCut"="c:\program files\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408] "EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2009-12-17 4114368] "Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2009-12-17 6223808] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408] "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-02-18 1043968] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "WLStart"="c:\program files\Windows Live\Installer\wlstart.exe" [2009-07-26 768336] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . R1 MpKsl978fa875;MpKsl978fa875;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0BD66ACC-798A-4729-A646-5170C04BB9C9}\MpKsl978fa875.sys [x] R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-20 136176] R3 Bridge0;Bridge0;c:\windows\system32\drivers\WDBridge.sys [2009-07-28 63240] R3 IGRS;IGRS;c:\program files\Lenovo\ReadyComm\common\IGRS.exe [2009-07-15 38152] R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-07-13 229888] R3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\Lenovo\ReadyComm\AppSvc.exe [2009-08-14 509192] R3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\Lenovo\ReadyComm\ConnSvc.exe [2009-11-17 575304] R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392] R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360] R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992] R3 PS_MDP;ReadyComm Presentation Space Helper Service;c:\windows\System32\IgrsSvcs.exe [2009-07-14 20992] R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-03-12 189984] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-31 1343400] R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 81704] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-03 172032] S2 DDNIMSGService;DDNIMSGService;c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2010-07-20 171872] S2 DDNIService;DDNIService;c:\program files\DDNI\DIBS\DDNIService.exe [2010-07-23 163680] S2 ReadyComm.DirectRouter;ReadyComm.DirectRouter;c:\windows\System32\IgrsSvcs.exe [2009-07-14 20992] S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-09-03 21256] S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-03-03 5340160] S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-03-03 152064] S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2009-11-13 58368] S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-12-22 30392] S3 usbsmi;Lenovo EasyCamera;c:\windows\system32\DRIVERS\SMIksdrv.sys [2009-10-16 171776] S3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [2009-07-16 11792] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc IgrsSvcs REG_MULTI_SZ ReadyComm.DirectRouter PS_MDP nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . Contents of the 'Scheduled Tasks' folder . 2011-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-20 05:35] . 2011-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-20 05:35] . 2011-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2742486753-408597114-3825370978-1003Core.job - c:\users\cici\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-31 06:40] . 2011-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2742486753-408597114-3825370978-1003UA.job - c:\users\cici\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-31 06:40] . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2011-04-13 18:41:12 ComboFix-quarantined-files.txt 2011-04-13 22:41 . Pre-Run: 84,077,899,776 bytes free Post-Run: 83,740,307,456 bytes free . - - End Of File - - 230DF6438AD834A2DFE51F095DE336FA HOLY MOLY...THAT'S ONE HUGE REPORT ok, ididn't get any of that recovery stuff popping up.... i might have done that a while ago, but i doubt i did it right....also....maybe this infection is related to the other two infections which were virtually the same thing????? so I can't retmember if I actually shut off my security the last time, i'm thinking i didn't...... and maybe this stupid virus has been sitting here waiting to attack me again....it's only been a few weeks, maybe three, max four I think since I was last infected..... i mean, what are the odds I'd be infected three times in three/four months with the same virus???

[Tomk]

Candice,

HOLY MOLY...THAT'S ONE HUGE REPORT

Not really too bad. OTL reports are much longer.

There are a dozen or so versions of basically the same infection floating around in cyberspace. This is one of the "newest" versions. I've only seen it around a couple weeks maybe. They are all very similiar... yet they are each different... specifically in the names of the folders involved... and in most cases the names of the files are different on each computer - even if they have the same version of the infection. This isn't an infection that sits around and waits to be "triggered". Based upon your logs... I'd say you got infected Late at night on April 10th or early in the morning on April 11th. If you were to tell me that you were playing on your computer into the "wee" hours of the morning... I'd pick 3:00 am on the 11th (way past my bedtime).

Anyhow... things look much better.

Let's get an online scan. As you recall I'm sure.... they take hours.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Please go here then click on:
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

[compudodo]

while we are waiting for this long long scan.... i just did a bad thing...... my tool bar on top, that had my file, tools, view icons has disappeared...... and i don't know where to go to restore it....went down to the system tray at the bottom, but it's not in toolbars , my favorites are gone too...... how the heck do I get anyplace without my toolbar???... this is my fault..... i decided i didn't want cookies tracking me anymore....so I DID say allow first party cookies..... but I said prompt me for the third party cookies....and everytime i do anything, all these cookie places want access....well, when i did away with a few...my toolbar disappeared!!!!!!

[compudodo]

ok..... now..... nothing you said above happened.... and I don't see any log or any way to get the log.... there were three infections found..... all were a variant of win32/trojandownload.... i clicked on copy to clipboard...but nothing happened so far as i could tell...and i don't know what this clipboard is anyway...never saw one on my computer.... i also have the choice to export to text file and i'll click on that too..... well, can't see that it went anywhere either..... i am so clueless

[Tomk]

Candice, If you still have the report on your screen... can you tell me where it says the infected files are located? By the way... the "clipboard" is a little "storage space" built into windows. It's not really a place. When you highlight something - right click on it and select copy... it is copied to the clipboard. If you then go somewhere and right click and select paste... it is pasted to the page from the clipboard. It's really just a little memory that holds the information between where you copy it from and where you paste it to. If you clicked on copy to clipboard... try right clicking in a reply window here and select paste. Whatever you copied last will be pasted.