[Resolved] a sudden slowing of an internet connection

[puzzled]

Hi
I did what you asked: one thing I forgot to mension is that after running combofix in both times I ran it, my machine needed a restart, and programs could not be started before that restart. The massage was about registry deletion of some sort. Anyway  here's combofix:

ComboFix 12-01-13.05 - ננ 01/14/2012  12:44:07.2.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1255.972.1037.18.1918.1101 [GMT 2:00]
Running from: c:\users\??\Desktop\ComboFix.exe
Command switches used :: c:\users\??\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
.
.
(((((((((((((((((((((((((   Files Created from 2011-12-14 to 2012-01-14  )))))))))))))))))))))))))))))))
.
.
2012-01-14 10:53 . 2012-01-14 10:54   --------   d-----w-   c:\users\ננ\AppData\Local\temp
2012-01-14 10:53 . 2012-01-14 10:53   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-01-03 16:54 . 2012-01-03 16:56   --------   d-----w-   c:\windows\system32\ca-ES
2012-01-03 16:54 . 2012-01-03 16:56   --------   d-----w-   c:\windows\system32\eu-ES
2012-01-03 16:54 . 2012-01-03 16:55   --------   d-----w-   c:\windows\system32\vi-VN
2012-01-03 16:45 . 2012-01-03 16:45   --------   d-----w-   c:\windows\system32\SPReview
2012-01-03 16:11 . 2009-04-10 21:28   928768   ----a-w-   c:\windows\system32\scavenge.dll
2012-01-03 16:11 . 2009-04-10 21:27   57856   ----a-w-   c:\windows\system32\compcln.exe
2012-01-03 16:10 . 2009-04-28 11:27   40960   ----a-w-   c:\program files\Common Files\Microsoft Shared\ink\he\Microsoft.Ink.Resources.dll
2012-01-03 16:04 . 2009-04-10 21:28   69632   ----a-w-   c:\windows\system32\rastapi.dll
2012-01-03 16:03 . 2009-04-10 21:32   438744   ----a-w-   c:\windows\system32\mcupdate_GenuineIntel.dll
2012-01-03 15:10 . 2012-01-03 15:10   --------   d-----w-   c:\windows\system32\EventProviders
2011-12-31 17:51 . 2011-12-31 17:51   --------   d-----w-   c:\users\ננ\AppData\Local\Chromium
2011-12-31 17:50 . 2011-12-31 17:51   --------   d-----w-   c:\program files\SRWare Iron
2011-12-24 14:23 . 2011-12-24 14:23   626688   ----a-w-   c:\program files\Mozilla Firefox\msvcr80.dll
2011-12-24 14:23 . 2011-12-24 14:23   548864   ----a-w-   c:\program files\Mozilla Firefox\msvcp80.dll
2011-12-24 14:23 . 2011-12-24 14:23   479232   ----a-w-   c:\program files\Mozilla Firefox\msvcm80.dll
2011-12-24 14:23 . 2011-12-24 14:23   43992   ----a-w-   c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 18:10 . 2011-11-21 18:10   22000   ----a-w-   c:\windows\system32\drivers\Neo_0078.sys
2011-11-21 18:07 . 2011-11-21 18:07   81920   ----a-w-   c:\windows\system32\vpncmd.exe
2011-11-11 23:29 . 2011-06-03 16:30   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 12:29 . 2011-10-24 12:29   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2011-10-24 12:29 . 2011-10-24 12:29   69632   ----a-w-   c:\windows\system32\QuickTime.qts
2011-12-24 14:23 . 2011-04-21 14:34   121816   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-10-09 25623336]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LGSR"="c:\program files\LG Software\LG Smart Recovery\MUITransfer\MUIStartMenu.exe %ProgramFiles%\LG Software\LG Smart Recovery UpdateWithCreateOnce Software\CyberLink\PowerRecover" [X]
"LG Magnifier"="c:\program files\LG Software\LG Magnifier\MagnifyingGlass.exe" [2008-05-20 144688]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-10-09 102400]
"BatteryMiser 5"="c:\program files\LG Software\BatteryMiser\BatteryMiser5.exe" [2008-07-17 697648]
"LG Intelligent Update"="c:\program files\lg_swupdate\giljabistart.exe" [2008-09-25 300336]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-12 6265376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-11 13552160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-11 92704]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-14 222504]
"TRUUpdater"="c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe" [2008-12-02 554264]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2008-11-28 53248]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-02 2415456]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ModemListener"="c:\program files\HSPA USB MODEM\ModemListener.exe" [2010-08-03 98304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"= "c:\windows\system32\bmpsap.dll" [2011-08-10 114688]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Users^ננ^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\ננ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 05:22   59240   ----a-w-   c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-21 12:37   136176   ----atw-   c:\users\ננ\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeybdUtility]
2008-08-15 23:49   3026944   ----a-w-   c:\program files\LG Software\LG OSD\HotKey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-10 21:28   2153472   ----a-w-   c:\windows\System32\oobefldr.dll
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
bthsvcs   REG_MULTI_SZ      BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-03 07:39]
.
2012-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-03 07:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lainyan.co.il/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\ננ\AppData\Roaming\Mozilla\Firefox\Profiles\80o6xbvm.default\
FF - prefs.js: browser.startup.homepage - about:home
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-14 12:54
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
 

• 0x20006C00

.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-01-14  12:58:09
ComboFix-quarantined-files.txt  2012-01-14 10:58
ComboFix2.txt  2012-01-14 00:31
.
Pre-Run: 33,435,611,136 bytes free
Post-Run: 33,412,898,816 bytes free
.
- - End Of File - - 4008DA0EB059D0049C537E9905393DBB

and this is mbam:

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.14.02

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 7.0.6002.18005
ננ :: WIN-9602E7BZE7N [limited]

Protection: Enabled

14/01/2012 13:15:50
mbam-log-2012-01-14 (13-15-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 166936
Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Many thanks again for the knowledgeable comprehensive hep I'm getting
 

[1972vet]

I'm not happy with that log. The .reg keys that we wanted to unlock, are still locked up. Please provide me with a little more detail as to what you mean here:
"programs could not be started before that restart."

...what programs would not start before combofix restarted the computer? You weren't trying to run something while combofix was in the midst of trying to reboot the computer...were you?

If so, please don't do a thing after combofix starts to run. It will reboot the computer automatically. Please be patient while combofix does what it is designed to do. We need to run the script again, and for more reason than just because the last run failed. The log indicates a hidden process that the rootkit scan picked up that wasn't there the first time we ran combofix. Please be sure to do nothing else with the computer except for what is instructed here. Go nowhere else on the internet except to come here and reply in this thread and open no other email except from SpywareHammer until we finish up. Otherwise, there is the chance that things can get turned sideways and we don't want to delay any positive results. Thanks for understanding.

Please open a blank Notepad...Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

KILLALL::

reglock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]

[puzzled]

Hi  
First, sorry for the slow response, it's a very busy week. Your professional help is most appreciated and I again thank you for it, and I'm taking your instructions very seriously.

From what you wrote I see there have been some unclearness about what happened when I ran combofix, so I'm clarifying what I did and what happened. Once we are on the same I will re-run combofix if necessary. But due to the harsh nature of the situation I do not want to take any step before I know both see the same picture.  :

First, to the best of my knowledge combofix did not required any reboot in my case, it ended in producing a log. Then (When a logfile popped on the screen) and only then did I do anything on the computer. I try to follow you instructions as closely as possible.

I copy-pasted of the log and...

When I tried reconnect to the internet to update Mbam using the provided ISP program I use for that (I have a cellular netstick usb modem) – clicking on desktop icons of programs would not start them. Here are the programs I tried to start

Isp program: "C:\Program Files\HSPA USB MODEM\HSPA USB MODEM.exe"

And a folder icon I used to start windows explorer that also did not start.

I would have copied the massage I got, but it was in Hebrew. What it said was something about registry keys marked for deletion that do allow starting of the program:

A reboot solved that.

As for running something along side combofix, I did not do that. I also closed anything that could be closed from the system tray.I also stopped avg. I'm joining a print screen the processes that run after doing that, let me know if anything needs killing.

Thanks again  

[Attachment removed by Admin]

[1972vet]

Thanks for explanation puzzled. May I see the combofix log produced by the last scan please?

Also, please do not attach anything in your post unless I specifically request it.

Members have become infected before from foreign attachments...and I'm not suggesting that yours was malicious. I'm sure it was harmless but I make no exceptions, I hope you understand.

It's just that I have made it a habit to firmly and consistently refuse to open any attachments unless it is something I requested and was expecting and I bend backwards in the effort to keep everyone safe by having it removed.

Thanks for understanding.

[puzzled]

Hi

The last scan was already posted in the post before the previous. You've seen it. If you you want me to scan again and retry to unlock those reg key, just let me know.





 

[1972vet]

Hi...The last scan was already posted in the post before the previous. You've seen it. If you you want me to scan again and retry to unlock those reg key, just let me know.

I have. Post #14 is where I let you know...and the instruction there requires another run of combofix which produced a log. May I see it please?

[puzzled]

And here is the report...but before that a few irrgularities while combofix ran:

it required a reboot this time

after the reboot the programs on the autostartup list of vista including avg started: avg detected combofix as a false positive but I allowed it and stopped the scan

again, after trying to reconnect to the net i got the massage about an illegal action that was attempted on a reg key that was marked for deletion

again, a reboot solved the problem

many thanks and here is the combofix report:

ComboFix 12-01-13.05 - ננ 01/18/2012  13:07:44.3.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1255.972.1037.18.1918.1082 [GMT 2:00]
Running from: c:\users\ננ\Desktop\ComboFix.exe
Command switches used :: c:\users\ננ\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
.
.
(((((((((((((((((((((((((   Files Created from 2011-12-18 to 2012-01-18  )))))))))))))))))))))))))))))))
.
.
2012-01-18 11:20 . 2012-01-18 11:25   --------   d-----w-   c:\users\ננ\AppData\Local\temp
2012-01-18 11:20 . 2012-01-18 11:20   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-01-14 11:08 . 2012-01-14 11:08   --------   d-----w-   c:\users\ננ\AppData\Roaming\Malwarebytes
2012-01-14 11:07 . 2012-01-14 11:07   --------   d-----w-   c:\programdata\Malwarebytes
2012-01-14 11:07 . 2012-01-14 11:07   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-01-14 11:07 . 2011-12-10 13:24   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-01-03 16:54 . 2012-01-03 16:56   --------   d-----w-   c:\windows\system32\ca-ES
2012-01-03 16:54 . 2012-01-03 16:56   --------   d-----w-   c:\windows\system32\eu-ES
2012-01-03 16:54 . 2012-01-03 16:55   --------   d-----w-   c:\windows\system32\vi-VN
2012-01-03 16:45 . 2012-01-03 16:45   --------   d-----w-   c:\windows\system32\SPReview
2012-01-03 16:11 . 2009-04-10 21:28   928768   ----a-w-   c:\windows\system32\scavenge.dll
2012-01-03 16:11 . 2009-04-10 21:27   57856   ----a-w-   c:\windows\system32\compcln.exe
2012-01-03 16:10 . 2009-04-28 11:27   40960   ----a-w-   c:\program files\Common Files\Microsoft Shared\ink\he\Microsoft.Ink.Resources.dll
2012-01-03 16:04 . 2009-04-10 21:28   69632   ----a-w-   c:\windows\system32\rastapi.dll
2012-01-03 16:03 . 2009-04-10 21:32   438744   ----a-w-   c:\windows\system32\mcupdate_GenuineIntel.dll
2012-01-03 15:10 . 2012-01-03 15:10   --------   d-----w-   c:\windows\system32\EventProviders
2011-12-31 17:51 . 2011-12-31 17:51   --------   d-----w-   c:\users\ננ\AppData\Local\Chromium
2011-12-31 17:50 . 2011-12-31 17:51   --------   d-----w-   c:\program files\SRWare Iron
2011-12-24 14:23 . 2011-12-24 14:23   626688   ----a-w-   c:\program files\Mozilla Firefox\msvcr80.dll
2011-12-24 14:23 . 2011-12-24 14:23   548864   ----a-w-   c:\program files\Mozilla Firefox\msvcp80.dll
2011-12-24 14:23 . 2011-12-24 14:23   479232   ----a-w-   c:\program files\Mozilla Firefox\msvcm80.dll
2011-12-24 14:23 . 2011-12-24 14:23   43992   ----a-w-   c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 18:10 . 2011-11-21 18:10   22000   ----a-w-   c:\windows\system32\drivers\Neo_0078.sys
2011-11-21 18:07 . 2011-11-21 18:07   81920   ----a-w-   c:\windows\system32\vpncmd.exe
2011-11-11 23:29 . 2011-06-03 16:30   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 12:29 . 2011-10-24 12:29   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2011-10-24 12:29 . 2011-10-24 12:29   69632   ----a-w-   c:\windows\system32\QuickTime.qts
2011-12-24 14:23 . 2011-04-21 14:34   121816   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-10-09 25623336]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LGSR"="c:\program files\LG Software\LG Smart Recovery\MUITransfer\MUIStartMenu.exe %ProgramFiles%\LG Software\LG Smart Recovery UpdateWithCreateOnce Software\CyberLink\PowerRecover" [X]
"LG Magnifier"="c:\program files\LG Software\LG Magnifier\MagnifyingGlass.exe" [2008-05-20 144688]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-10-09 102400]
"BatteryMiser 5"="c:\program files\LG Software\BatteryMiser\BatteryMiser5.exe" [2008-07-17 697648]
"LG Intelligent Update"="c:\program files\lg_swupdate\giljabistart.exe" [2008-09-25 300336]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-12 6265376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-11 13552160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-11 92704]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-14 222504]
"TRUUpdater"="c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe" [2008-12-02 554264]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2008-11-28 53248]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-02 2415456]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ModemListener"="c:\program files\HSPA USB MODEM\ModemListener.exe" [2010-08-03 98304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"= "c:\windows\system32\bmpsap.dll" [2011-08-10 114688]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Users^ננ^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\ננ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 05:22   59240   ----a-w-   c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-21 12:37   136176   ----atw-   c:\users\ננ\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeybdUtility]
2008-08-15 23:49   3026944   ----a-w-   c:\program files\LG Software\LG OSD\HotKey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-10 21:28   2153472   ----a-w-   c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
bthsvcs   REG_MULTI_SZ      BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-03 07:39]
.
2012-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-03 07:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lainyan.co.il/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\ננ\AppData\Roaming\Mozilla\Firefox\Profiles\80o6xbvm.default\
FF - prefs.js: browser.startup.homepage - about:home
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-18 13:24
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
.
c:\windows\TEMP\BIT2A41.tmp 0 bytes
c:\windows\TEMP\GUREEFF.exe 0 bytes
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\lpksetup.exe
c:\program files\AVG\AVG2012\avgwdsvc.exe
c:\program files\Common Files\DeviceHelper\DeviceManager.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\AVG\AVG2012\AVGIDSAgent.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\windows\system32\conime.exe
c:\windows\system32\WUDFHost.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\LG Software\LG Magnifier\Maglev.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
.
**************************************************************************
.
Completion time: 2012-01-18  13:31:47 - machine was rebooted
ComboFix-quarantined-files.txt  2012-01-18 11:31
ComboFix2.txt  2012-01-14 10:58
ComboFix3.txt  2012-01-14 00:31
.
Pre-Run: 32,338,657,280 bytes free
Post-Run: 32,215,531,520 bytes free
.
- - End Of File - - A1537F9C4B17DAC748F141F2A7FECAC8
 

[1972vet]

Much better. One more now:
Please open another blank Notepad then copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated and advise how the system now performs for you. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


KILLALL::

Rootkit::
c:\windows\TEMP\BIT2A41
c:\windows\TEMP\GUREEFF

[puzzled]

First, system behaves much better, streaming seem to work, on a few sites on two browsers. I hope this is the end of it, but will do any thing you think needs doing.

How did that happen, was it a site or an emale attack? I would very much like to know if that's possible.

and of course...the report
 

ComboFix 12-01-13.05 - ננ 01/18/2012  17:36:57.4.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1255.972.1037.18.1918.937 [GMT 2:00]
Running from: c:\users\??\Desktop\ComboFix.exe
Command switches used :: c:\users\??\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
.
.
(((((((((((((((((((((((((   Files Created from 2011-12-18 to 2012-01-18  )))))))))))))))))))))))))))))))
.
.
2012-01-18 15:48 . 2012-01-18 15:48   --------   d-----w-   c:\users\ננ\AppData\Local\temp
2012-01-18 15:48 . 2012-01-18 15:48   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-01-14 11:08 . 2012-01-14 11:08   --------   d-----w-   c:\users\ננ\AppData\Roaming\Malwarebytes
2012-01-14 11:07 . 2012-01-14 11:07   --------   d-----w-   c:\programdata\Malwarebytes
2012-01-14 11:07 . 2012-01-14 11:07   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-01-14 11:07 . 2011-12-10 13:24   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-01-03 16:54 . 2012-01-03 16:56   --------   d-----w-   c:\windows\system32\ca-ES
2012-01-03 16:54 . 2012-01-03 16:56   --------   d-----w-   c:\windows\system32\eu-ES
2012-01-03 16:54 . 2012-01-03 16:55   --------   d-----w-   c:\windows\system32\vi-VN
2012-01-03 16:45 . 2012-01-03 16:45   --------   d-----w-   c:\windows\system32\SPReview
2012-01-03 16:11 . 2009-04-10 21:28   928768   ----a-w-   c:\windows\system32\scavenge.dll
2012-01-03 16:11 . 2009-04-10 21:27   57856   ----a-w-   c:\windows\system32\compcln.exe
2012-01-03 16:10 . 2009-04-28 11:27   40960   ----a-w-   c:\program files\Common Files\Microsoft Shared\ink\he\Microsoft.Ink.Resources.dll
2012-01-03 16:04 . 2009-04-10 21:28   69632   ----a-w-   c:\windows\system32\rastapi.dll
2012-01-03 16:03 . 2009-04-10 21:32   438744   ----a-w-   c:\windows\system32\mcupdate_GenuineIntel.dll
2012-01-03 15:10 . 2012-01-03 15:10   --------   d-----w-   c:\windows\system32\EventProviders
2011-12-31 17:51 . 2011-12-31 17:51   --------   d-----w-   c:\users\ננ\AppData\Local\Chromium
2011-12-31 17:50 . 2011-12-31 17:51   --------   d-----w-   c:\program files\SRWare Iron
2011-12-24 14:23 . 2011-12-24 14:23   626688   ----a-w-   c:\program files\Mozilla Firefox\msvcr80.dll
2011-12-24 14:23 . 2011-12-24 14:23   548864   ----a-w-   c:\program files\Mozilla Firefox\msvcp80.dll
2011-12-24 14:23 . 2011-12-24 14:23   479232   ----a-w-   c:\program files\Mozilla Firefox\msvcm80.dll
2011-12-24 14:23 . 2011-12-24 14:23   43992   ----a-w-   c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 18:10 . 2011-11-21 18:10   22000   ----a-w-   c:\windows\system32\drivers\Neo_0078.sys
2011-11-21 18:07 . 2011-11-21 18:07   81920   ----a-w-   c:\windows\system32\vpncmd.exe
2011-11-11 23:29 . 2011-06-03 16:30   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 12:29 . 2011-10-24 12:29   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2011-10-24 12:29 . 2011-10-24 12:29   69632   ----a-w-   c:\windows\system32\QuickTime.qts
2011-12-24 14:23 . 2011-04-21 14:34   121816   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-10-09 25623336]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LGSR"="c:\program files\LG Software\LG Smart Recovery\MUITransfer\MUIStartMenu.exe %ProgramFiles%\LG Software\LG Smart Recovery UpdateWithCreateOnce Software\CyberLink\PowerRecover" [X]
"LG Magnifier"="c:\program files\LG Software\LG Magnifier\MagnifyingGlass.exe" [2008-05-20 144688]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-10-09 102400]
"BatteryMiser 5"="c:\program files\LG Software\BatteryMiser\BatteryMiser5.exe" [2008-07-17 697648]
"LG Intelligent Update"="c:\program files\lg_swupdate\giljabistart.exe" [2008-09-25 300336]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-12 6265376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-11 13552160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-11 92704]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-14 222504]
"TRUUpdater"="c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe" [2008-12-02 554264]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2008-11-28 53248]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-02 2415456]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ModemListener"="c:\program files\HSPA USB MODEM\ModemListener.exe" [2010-08-03 98304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"= "c:\windows\system32\bmpsap.dll" [2011-08-10 114688]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Users^ננ^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\ננ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 05:22   59240   ----a-w-   c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-21 12:37   136176   ----atw-   c:\users\ננ\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeybdUtility]
2008-08-15 23:49   3026944   ----a-w-   c:\program files\LG Software\LG OSD\HotKey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-10 21:28   2153472   ----a-w-   c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
bthsvcs   REG_MULTI_SZ      BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-03 07:39]
.
2012-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-03 07:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lainyan.co.il/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\ננ\AppData\Roaming\Mozilla\Firefox\Profiles\80o6xbvm.default\
FF - prefs.js: browser.startup.homepage - about:home
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-18 17:48
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-01-18  17:51:19
ComboFix-quarantined-files.txt  2012-01-18 15:51
ComboFix2.txt  2012-01-18 11:31
ComboFix3.txt  2012-01-14 10:58
ComboFix4.txt  2012-01-14 00:31
.
Pre-Run: 32,336,883,712 bytes free
Post-Run: 32,201,441,280 bytes free
.
- - End Of File - - 1CFAE9593D6E5D4F28696DAF8CEFBD79

[1972vet]

...How did that happen, was it a site or an emale attack? I would very much like to know if that's possible.

It would be nearly impossible for me to determine but you could. When something like what you described suddenly occurs, you need only ask yourself "what was I doing at the time", or "what software or hardware did I just install"...in other words, just try to recall exactly what happened just prior to noticing quirky system behavior. Nine times out of ten, you would at least know if it was software/hardware, or website/email related.

I'm happy with that log now. What I'd like you to do now is to run a manual update to your on board anti-virus product and run a complete system scan. Allow the software to quarantine whatever it complains of. Reboot when finished, and post back your results. I think we can then finish this up. Thanks!

[puzzled]

Hi
I did what what you asked, I almost forgot to reboot before posting and posted the report but, in the last moment I did not send it and rebooted right after the login to the forum
I hope it's still ok

anyway
here's the report

Scan "Whole computer scyan" completed.
Warnings;"103";"103";"0"
Information;"76"
Folders selected for scanning:;"Whole computer scan"
Scan started:;"יום חמישי 19 ינואר 2012, 20:51:51"
Scan finished:;"יום חמישי 19 ינואר 2012, 21:21:28 (29 minute(s) 36 second(s))"
Total object scanned:;"1690923"
User who launched the scan:;"ננ"

Warnings
;"File";"Infection";"Result"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@revsci[1].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@revsci[1].txt";"Found Tracking cookie.Revsci";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@msnportal.112.2o7[1].txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@msnportal.112.2o7[1].txt";"Found Tracking cookie.2o7";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@m.webtrends[2].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@m.webtrends[2].txt";"Found Tracking cookie.Webtrends";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@atdmt[2].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@atdmt[2].txt";"Found Tracking cookie.Atdmt";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@adtech[1].txt:\adtech.de.a9245469";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@adtech[1].txt";"Found Tracking cookie.Adtech";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@ad.yieldmanager[2].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@ad.yieldmanager[2].txt";"Found Tracking cookie.Yieldmanager";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@2o7[1].txt:\2o7.net.f2bad1d";"Found Tracking cookie.2o7";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@2o7[1].txt:\2o7.net.411f632";"Found Tracking cookie.2o7";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\ננ@2o7[1].txt";"Found Tracking cookie.2o7";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@yadro[2].txt:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@yadro[2].txt";"Found Tracking cookie.Yadro";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@xxxcounter[1].txt:\xxxcounter.com.6b152083";"Found Tracking cookie.Xxxcounter";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@xxxcounter[1].txt";"Found Tracking cookie.Xxxcounter";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@tribalfusion[1].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@tribalfusion[1].txt";"Found Tracking cookie.Tribalfusion";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@trafficmp[1].txt:\trafficmp.com.f3e5803e";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@trafficmp[1].txt:\trafficmp.com.a00e30b4";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@trafficmp[1].txt:\trafficmp.com.35be004f";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@trafficmp[1].txt";"Found Tracking cookie.Trafficmp";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@statse.webtrendslive[1].txt:\statse.webtrendslive.com.b4ca7df0";"Found Tracking cookie.Webtrendslive";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@statse.webtrendslive[1].txt";"Found Tracking cookie.Webtrendslive";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@smartadserver[2].txt:\smartadserver.com.c5827141";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@smartadserver[2].txt:\smartadserver.com.bf8b766";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@smartadserver[2].txt:\smartadserver.com.5550c4ed";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@smartadserver[2].txt:\smartadserver.com.3e749ab9";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@smartadserver[2].txt:\smartadserver.com.321a5cf8";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@smartadserver[2].txt";"Found Tracking cookie.Smartadserver";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@sextracker[1].txt:\sextracker.com.9ff929d7";"Found Tracking cookie.Sextracker";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@sextracker[1].txt";"Found Tracking cookie.Sextracker";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@serving-sys[1].txt:\serving-sys.com.db46cecc";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@serving-sys[1].txt:\serving-sys.com.ac41fe5a";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@serving-sys[1].txt:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@serving-sys[1].txt:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@serving-sys[1].txt:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@serving-sys[1].txt:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@serving-sys[1].txt:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@serving-sys[1].txt";"Found Tracking cookie.Serving-sys";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@searchportal.information[1].txt:\searchportal.information.com.44e78b2";"Found Tracking cookie.Information";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@searchportal.information[1].txt:\searchportal.information.com.3a8d7204";"Found Tracking cookie.Information";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@searchportal.information[1].txt:\searchportal.information.com.1445b9e";"Found Tracking cookie.Information";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@searchportal.information[1].txt";"Found Tracking cookie.Information";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@revsci[1].txt:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@revsci[1].txt";"Found Tracking cookie.Revsci";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@realmedia[2].txt:\realmedia.com.e14be39e";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@realmedia[2].txt:\realmedia.com.855b46d";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@realmedia[2].txt:\realmedia.com.125a868c";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@realmedia[2].txt";"Found Tracking cookie.Realmedia";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@qksrv[2].txt:\qksrv.net.3f989311";"Found Tracking cookie.Qksrv";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@qksrv[2].txt:\qksrv.net.2060efc3";"Found Tracking cookie.Qksrv";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@qksrv[2].txt";"Found Tracking cookie.Qksrv";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@pro-market[2].txt:\pro-market.net.bbf67f2d";"Found Tracking cookie.Pro-market";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@pro-market[2].txt";"Found Tracking cookie.Pro-market";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@msnportal.112.2o7[1].txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@msnportal.112.2o7[1].txt";"Found Tracking cookie.2o7";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@m.webtrends[1].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@m.webtrends[1].txt";"Found Tracking cookie.Webtrends";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@liveperson[1].txt:\liveperson.net.8db0737c";"Found Tracking cookie.Liveperson";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@liveperson[1].txt";"Found Tracking cookie.Liveperson";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@hitbox[2].txt:\hitbox.com.2b95f8a3";"Found Tracking cookie.Hitbox";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@hitbox[2].txt";"Found Tracking cookie.Hitbox";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@fastclick[1].txt:\fastclick.net.c38980e4";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@fastclick[1].txt:\fastclick.net.9b41aa53";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@fastclick[1].txt:\fastclick.net.8dd1284a";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@fastclick[1].txt:\fastclick.net.8a6435e9";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@fastclick[1].txt";"Found Tracking cookie.Fastclick";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@casalemedia[2].txt:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@casalemedia[2].txt:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@casalemedia[2].txt:\casalemedia.com.350339d4";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@casalemedia[2].txt:\casalemedia.com.2d37ad26";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@casalemedia[2].txt:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@casalemedia[2].txt:\casalemedia.com.12e6c053";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@casalemedia[2].txt";"Found Tracking cookie.Casalemedia";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@burstnet[1].txt:\burstnet.com.c4fe2ebb";"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@burstnet[1].txt:\burstnet.com.a3218a37";"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@burstnet[1].txt";"Found Tracking cookie.Burstnet";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@bs.serving-sys[2].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@bs.serving-sys[2].txt:\bs.serving-sys.com.46763078";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@bs.serving-sys[2].txt";"Found Tracking cookie.Serving-sys";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@atdmt[1].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@atdmt[1].txt";"Found Tracking cookie.Atdmt";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@advertising[2].txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@advertising[2].txt";"Found Tracking cookie.Advertising";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@adtech[1].txt:\adtech.de.a9245469";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@adtech[1].txt";"Found Tracking cookie.Adtech";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@adbrite[1].txt:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@adbrite[1].txt:\adbrite.com.775ee79c";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@adbrite[1].txt:\adbrite.com.71beeff9";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@adbrite[1].txt";"Found Tracking cookie.Adbrite";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@ad.yieldmanager[1].txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@ad.yieldmanager[1].txt:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@ad.yieldmanager[1].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@ad.yieldmanager[1].txt:\ad.yieldmanager.com.b4be891c";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@ad.yieldmanager[1].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@ad.yieldmanager[1].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@ad.yieldmanager[1].txt";"Found Tracking cookie.Yieldmanager";"Healed"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@2o7[2].txt:\2o7.net.1a1b1110";"Found Tracking cookie.2o7";"Moved to Virus Vault"
;"C:\Users\ננ\AppData\Roaming\Microsoft\Windows\Cookies\Low\ננ@2o7[2].txt";"Found Tracking cookie.2o7";"Healed"

Information
;"File";"Information";"Result"
;"C:\ProgramData\AVG2012\IDS\config\userList.zip";"Password-protected";""
;"C:\ProgramData\AVG2012\IDS\config\quarantinedList.zip";"Password-protected";""
;"C:\ProgramData\AVG2012\IDS\config\md5Cache.dat";"Password-protected";""
;"C:\ProgramData\AVG2012\IDS\config\internalList.zip";"Password-protected";""
;"C:\Program Files\Microsoft Office\Office12\1033\EXPTOOWS.XLA";"Contains macros";""
;"D:\System Volume Information\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\LogFiles\WMI\RtBackup\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\config\system";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\config\software";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\config\security";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\config\sam";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\config\RegBack\SYSTEM";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\config\RegBack\SOFTWARE";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\config\RegBack\SECURITY";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\config\RegBack\SAM";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\config\RegBack\DEFAULT";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\config\RegBack\COMPONENTS";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\config\default";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\config\components";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\ServiceProfiles\NetworkService\ntuser.dat";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\ServiceProfiles\LocalService\ntuser.dat";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Windows\bthservsdp.dat";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\ננ\Templates\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\ננ\PrintHood\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\ננ\ntuser.dat";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\ננ\NetHood\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\ננ\Documents\My Videos\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\ננ\Documents\My Pictures\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\ננ\Documents\My Music\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\ננ\AppData\Local\Microsoft\Windows\UsrClass.dat";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\ננ\AppData\Local\History\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Public\Documents\My Videos\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Public\Documents\My Pictures\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Public\Documents\My Music\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\Templates\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\Start Menu\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\SendTo\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\Recent\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\PrintHood\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\NetHood\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\My Documents\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\Local Settings\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\Documents\My Videos\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\Documents\My Pictures\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\Documents\My Music\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\Cookies\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\Application Data\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\AppData\Local\Temporary Internet Files\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\AppData\Local\History\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default\AppData\Local\Application Data\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Users\Default User\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\System Volume Information\{f0039542-3848-11e1-a70b-ec71b5ef597f}{3808876b-c176-4e48-b7ae-04046e6cc752}";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\System Volume Information\{a0842bb2-3acd-11e1-a8e4-fe4396169175}{3808876b-c176-4e48-b7ae-04046e6cc752}";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\System Volume Information\{a0842a12-3acd-11e1-a8e4-941ef95c2b33}{3808876b-c176-4e48-b7ae-04046e6cc752}";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\System Volume Information\{9f8ea69a-41c8-11e1-b85e-b045e5fe7b4c}{3808876b-c176-4e48-b7ae-04046e6cc752}";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\System Volume Information\{798873b1-40e4-11e1-b44b-8b489ecd766e}{3808876b-c176-4e48-b7ae-04046e6cc752}";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\System Volume Information\{72eb88d2-3d36-11e1-bbef-ca2dc207562b}{3808876b-c176-4e48-b7ae-04046e6cc752}";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\System Volume Information\{283dd43e-3e9f-11e1-a620-f89eb3d5ea73}{3808876b-c176-4e48-b7ae-04046e6cc752}";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\System Volume Information\{0c0e5ee1-3a22-11e1-98f0-c24c5fc6e176}{3808876b-c176-4e48-b7ae-04046e6cc752}";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\System Volume Information\{0028eee9-3dc4-11e1-940a-f5a442708329}{3808876b-c176-4e48-b7ae-04046e6cc752}";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Qoobox\BackEnv\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\ProgramData\Templates\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\ProgramData\Start Menu\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\ProgramData\Favorites\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\ProgramData\Documents\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\ProgramData\Desktop\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\ProgramData\Application Data\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\pagefile.sys";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\hiberfil.sys";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Documents and Settings\";"Locked file. Not tested.";"Locked file. Not tested."
;"C:\Boot\BCD";"Locked file. Not tested.";"Locked file. Not tested."

[1972vet]

You can delete these now:
RogueKiller and associated folder/files
TDSSKiller and associated logs
DDS and associated logs

Next, please click start-->type Run in the "Search programs and files" box. The Run box icon will appear somewhere at the top of the list. Click that icon. When the run box opens, copy and paste the Bold text below into the run box and click "OK":

ComboFix /Uninstall

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.
To assist in the prevention of malicious software intrusion and infections, you can begin by reading "How to boost your malware defense and protect your PC"...

Please remember to keep antivirus software on board and always use it's real time protection feature. Run a complete system scan at least once a week...preferably in Safe mode.

A word of caution
Security vendors, in recent years, have partnered with "Ask.com" in providing the "Ask Toolbar" bundled with their download(s).

Although the toolbar is considered to be a Legitimate program, it is nonetheless questionable as to it's behavior. It is alleged to be spyware/adware as the behavior of this application tracks a user's history and sends "search" information to it's servers in order to provide a user with targeted search results, many of these results may also be for questionable web sites. In fairness, one should keep in mind, google does the same thing regarding search results.

This tracking is considered by many of us in the security field, to be offensive.

Some of the "Download links" that I may provide, may also contain this program bundled with it. If you choose not to use it, the bundled software will always contain an "Opt Out" measure via some checkbox. The user can check (or uncheck) this box to prevent the download.

If a user isn't cautious and may have mistakenly installed this program, it can easily be removed via the "Uninstall" string provided with the software. Detailed instructions how to remove the program can be found Here.

If your antivirus program is a licensed version that is about to expire, you can consider using one of these available free on the public domain:

Microsoft Security Essentials
AntiVir Personal Edition Classic
Avast! 4 Home Edition

Those of us in the online safety/security community have tried and tested these programs to determine their abilities. Having in mind, nothing is ever a guarantee regarding computer security, these programs nevertheless, combined with the rest of these recommendations are certain to have an impact in helping to keep your system running free and clear. I personally have been completely satisfied from having tested and used each one of those at one time or another.

Immunize your browser by installing Spywareblaster. What does it do?

• Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
• Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
• Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Web of Trust, (WOT,) warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an add-on available for both Firefox and IE.

Install the Winpatrol security monitor utility. WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. What I hear most from users is how much they like the startup control feature and it's ease of use. Need help understanding something about Winpatol? Here it is.

Windows Vista and Windows 7 have a software firewall built in and activated by default. This native firewall is a big improvement and is fine by itself. However, there are third party software Firewalls that offer a bit more configuration options.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason. I should also mention, if you choose to use a third party firewall, make certain the Windows firewall is turned off to prevent conflict issues.

...and please remember, you should have only one of these types of third party firewalls running on board:

Zone Alarm...Windows 2k/XP/Vista

Outpost Free

Comodo...I highly recommend this firewall, but it may just be best suited for advanced users.

Stay updated with the most recent Windows patches using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. Please avoid using the "registry" cleaning feature of this utility unless you consider yourself an expert. Contrary to popular thought, the Windows Registry has no need of any "cleaning". I personally challenge anyone to show a substantial benefit from having used any of these "registry cleaning" programs. There is none. Any difference at all is so miniscule that it's nearly impossible to calculate.

On the flip side, rather than any benefit, there is the possibility of slicing out enough pieces of the registry to render things useless...and that includes the operating system.

By default, CCleaner will ask you if you want to backup what is removed, and I suggest you do just that. If you have already used this option and found that something no longer works properly, please find the backup that was created and use it to restore that particular item. Remember, using this to clean the disk is absolutely useful and beneficial. A novice needs only to use the disk cleaning feature...and avoid the registry cleaning aspect. It's not difficult...just don't bother to click the Registry button on the menu.

CCleaner is an excellent...and fast disk cleaning utility that can easily be configured to suit your needs. Often, users find a simple reboot resolves a quirky performance issue which can come about as a result of the collection of temp files while browsing the web...and if you configure CCleaner to run on start up, then your system could be kept running fast and clean with each new user session.

The Yahoo Toolbar is included by default during the installation of the CCleaner utility...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...last download link at the bottom of that page)...

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

Don't forget to check your system's "defragmenter" settings. With Windows Vista, you have the option to set this as a scheduled event. It is best to have your system's "defrag" function scheduled for at least once a week.

So how did I get infected in the first place?
Regards, and Happy Surfing!

[1972vet]

This thread is now closed as the issue appears to be resolved.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.