Author Topic: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD... (Read 2471 times)

Imernillo · « **on:** April 16, 2012, 12:33:42 PM »

Background:
Hi SpywareHammer Team! I am running Windows 7, and use Avira Antivir as my a/v software and the Windows firewall (possibly not the best one to use). I updated to the current version of Filezilla a month or two ago, and was asked for the administrator password. As I have forgotten it (or never wrote it down in the first place), I set my UAC to the lowest level in order to install Filezilla; unfortunately I forgot to reset my UAC to the recommended level afterwards.

Problem:
This has possibly led to my current problem. I haven't noticed any actual problems with my computer, but I ran a regular Avira scan over the weekend. It discovered 2 viruses which it was able to quarantine (EXP/2011-3544.DZ and EXP/2008-5353.AQ) and also 84 hidden objects. Avira suggested using the Avira Rescue CD, and to boot from that and scan again. When I did so (creating the CD on the computer with the hidden objects) it only found 4 encrypted files, which were old Avira installers on my desktop (I have now deleted them), but it did not find any problems due to hidden threads.

What I did:
So I have reset my UAC back to its proper level.
I used CCleaner to clean out the junk, and tried another Avira scan - problem persisted.
I ran Malwarebytes full scan - no problems detected
I downloaded and ran SUPERAntiSpyware - 75 tracking cookies detected and deleted.

Not sure whether this is a load of false positives on Avira as there is no obvious slowing down of my system, or anything funny going on. But I'm more worried about the fact that things might be going on that I can't see, especially as Avira flags it as something that needs a rescue CD to diagnose and delete.

Any guidance would be greatly appreciated. And thanks for offering your own time and expertise to help me (and others) with malware problems.

Just for info, I am in the UK timezone (BST, or GMT+1) in case there are any delays between our communications during the process of fixing my problems.

Here are the DDS logs:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
Run by Neil at 12:27:06 on 2012-04-16
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3839.2642 [GMT 1:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
c:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe
C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Packard Bell Photo Frame\ButtonMonitor.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=ixtreme_m3720&r=173611090206p0345v1i5y47j19219
mDefault_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=ixtreme_m3720&r=173611090206p0345v1i5y47j19219
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=ixtreme_m3720&r=173611090206p0345v1i5y47j19219
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Global Registration] "C:\Program Files (x86)\Packard Bell\Registration\GREG.exe" BOOT
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Google Update] "C:\Users\Neil\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [Packard Bell Photo Frame] C:\Program Files (x86)\Packard Bell Photo Frame\ButtonMonitor.exe -A
mRun: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
mRun: [DNS7reminder] "C:\Program Files (x86)\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking10\Ereg.ini
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{7CD198C3-54C8-43B3-946E-8FB122A280FA} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [Packard Bell Photo Frame] C:\Program Files (x86)\Packard Bell Photo Frame\ButtonMonitor.exe -A
mRun-x64: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
mRun-x64: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
mRun-x64: [DNS7reminder] "C:\Program Files (x86)\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking10\Ereg.ini
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Neil\AppData\Roaming\Mozilla\Firefox\Profiles\higa72lc.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Neil\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 avkmgr;avkmgr;C:\Windows\system32\DRIVERS\avkmgr.sys --> C:\Windows\system32\DRIVERS\avkmgr.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-12 140672]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-12-8 169312]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-20 86224]
R2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-10-20 110032]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 Greg_Service;GRegService;C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe [2009-6-4 1150496]
R2 Updater Service;Updater Service;C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe [2009-8-15 240160]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-9-20 135664]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-9-20 135664]
S3 Partner Service;Partner Service;C:\ProgramData\Partner\Partner.exe [2009-8-15 332272]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-04-15 13:14:32   --------   d-----w-   C:\Users\Neil\AppData\Roaming\SUPERAntiSpyware.com
2012-04-15 13:13:55   --------   d-----w-   C:\ProgramData\SUPERAntiSpyware.com
2012-04-15 13:13:55   --------   d-----w-   C:\Program Files\SUPERAntiSpyware
2012-04-13 13:41:34   8669240   ----a-w-   C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A2D5C0DD-B1C0-49F5-9C80-5135C18CB5EF}\mpengine.dll
2012-04-13 01:57:37   5559152   ----a-w-   C:\Windows\System32\ntoskrnl.exe
2012-04-13 01:57:36   3968368   ----a-w-   C:\Windows\SysWow64\ntkrnlpa.exe
2012-04-13 01:57:36   3913072   ----a-w-   C:\Windows\SysWow64\ntoskrnl.exe
2012-04-13 01:56:12   81408   ----a-w-   C:\Windows\System32\imagehlp.dll
2012-04-13 01:56:12   23408   ----a-w-   C:\Windows\System32\drivers\fs_rec.sys
2012-04-13 01:56:12   159232   ----a-w-   C:\Windows\SysWow64\imagehlp.dll
2012-04-13 01:56:11   5120   ----a-w-   C:\Windows\SysWow64\wmi.dll
2012-04-13 01:56:11   5120   ----a-w-   C:\Windows\System32\wmi.dll
2012-04-13 01:56:11   220672   ----a-w-   C:\Windows\System32\wintrust.dll
2012-04-13 01:56:11   172544   ----a-w-   C:\Windows\SysWow64\wintrust.dll
2012-04-04 05:53:56   182160   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2012-03-17 13:56:41   592824   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-17 13:56:41   44472   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
.
==================== Find3M ====================
.
2012-04-04 14:56:40   24904   ----a-w-   C:\Windows\System32\drivers\mbam.sys
2012-04-02 11:02:01   472808   ----a-w-   C:\Windows\SysWow64\deployJava1.dll
2012-02-28 06:39:37   1188864   ----a-w-   C:\Windows\System32\wininet.dll
2012-02-28 05:38:52   981504   ----a-w-   C:\Windows\SysWow64\wininet.dll
2012-02-28 04:31:38   1638912   ----a-w-   C:\Windows\System32\mshtml.tlb
2012-02-28 03:52:27   1638912   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2012-02-23 09:18:36   279656   ------w-   C:\Windows\System32\MpSigStub.exe
2012-02-17 06:38:26   1031680   ----a-w-   C:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22   826880   ----a-w-   C:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24   210944   ----a-w-   C:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32   23552   ----a-w-   C:\Windows\System32\drivers\tdtcp.sys
2012-02-10 06:36:07   1544192   ----a-w-   C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43   1077248   ----a-w-   C:\Windows\SysWow64\DWrite.dll
2012-02-07 10:02:40   1070352   ----a-w-   C:\Windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34:34   3145728   ----a-w-   C:\Windows\System32\win32k.sys
2012-01-25 06:38:39   77312   ----a-w-   C:\Windows\System32\rdpwsx.dll
2012-01-25 06:38:38   149504   ----a-w-   C:\Windows\System32\rdpcorekmts.dll
2012-01-25 06:33:30   9216   ----a-w-   C:\Windows\System32\rdrmemptylst.exe
2012-01-23 20:28:51   60304   ----a-w-   C:\Users\Neil\g2mdlhlpx.exe
.
============= FINISH: 12:27:31.68 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 11/1/2009 2:18:53 PM
System Uptime: 4/16/2012 10:59:11 AM (2 hours ago)
.
Motherboard: Packard Bell | | MCP73PVT-PM
Processor: Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz | CPU 1 | 2500/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 290 GiB total, 238.141 GiB free.
D: is FIXED (NTFS) - 291 GiB total, 290.524 GiB free.
E: is CDROM (CDFS)
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP325: 3/20/2012 8:30:34 AM - Windows Update
RP326: 3/23/2012 9:31:13 AM - Windows Update
RP327: 3/27/2012 10:00:04 AM - Windows Update
RP328: 4/2/2012 12:01:23 PM - Installed Java(TM) 6 Update 31
RP329: 4/3/2012 9:56:53 AM - Windows Update
RP330: 4/12/2012 5:26:33 PM - Windows Update
RP331: 4/13/2012 2:55:54 AM - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 7.0
Adobe Reader X (10.1.3)
Advertising Center
Alice Greenfingers
Amazonia
Atheros Client Installation Program
Avira Free Antivirus
Chicken Invaders 2
Click to Call with Skype
Compatibility Pack for the 2007 Office system
D3DX10
Dairy Dash
Dragon NaturallySpeaking 10
Dream Day First Home
eBay Worldwide
Farm Frenzy 2
FileZilla Client 3.5.3
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 5.1.0.880
Granny In Paradise
Heroes of Hellas
Identity Card
ImagXpress
Java Auto Updater
Java(TM) 6 Update 31
Junk Mail filter update
Keyword Tool Dominator
Malwarebytes Anti-Malware version 1.61.0.1400
Merriam Websters Spell Jam
Metaboli
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Works
Mozilla Firefox 11.0 (x86 en-GB)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9 Essentials
Nero ControlCenter
Nero DiscSpeed
Nero DiscSpeed Help
Nero DriveSpeed
Nero DriveSpeed Help
Nero Express Help
Nero InfoTool
Nero InfoTool Help
Nero Installer
Nero Online Upgrade
Nero StartSmart
Nero StartSmart Help
Nero StartSmart OEM
NeroExpress
neroxml
Norton Online Backup
Packard Bell GameZone Console
Packard Bell InfoCentre
Packard Bell Photo Frame 4.2.3.10
Packard Bell Recovery Management
Packard Bell Registration
Packard Bell ScreenSaver
Packard Bell Software Suite SE
Packard Bell Updater
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Skype™ 5.5
Star Defender 4
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Welcome Center
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
Xenu's Link Sleuth
XHeader
XHeader Bonus Download
.
==== Event Viewer Messages From Past Week ========
.
4/13/2012 9:32:19 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk6\DR6.
.
==== End Of File ===========================

1972vet · « **Reply #1 on:** April 16, 2012, 12:42:24 PM »

Greetings Imernillo and Welcome to our Forums,
I'm not seeing much of anything alarming either but, to put your mind at ease, let's take a deeper look inside the box:
Please disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here.
...of those, many people overlook the Windows Defender since, for most, there is no icon for it in the system tray. Scroll through those directives above and look for this application specifically, to make certain it is disabled.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Imernillo · « **Reply #2 on:** April 16, 2012, 12:57:31 PM »

Thanks for stepping in to help 1972vet.

I'll get onto that right away. Just an FYI - I don't actually have a Windows7 installation disc as the software was already pre-installed when I bought my computer. Presumably I'll still need the Recovery Console in this case despite having Windows7?

1972vet · « **Reply #3 on:** April 16, 2012, 01:04:42 PM »

No. If you read the blue colored caveat, you'll see that for Windows 7 and Vista, the recovery console isn't an option. Without an installation media, your system is more than likely one that also has a hidden partition housing an image of the system as it was from the factory. Your manufacturer's owner's manual will tell you. Check it and see.

Imernillo · « **Reply #4 on:** April 16, 2012, 02:21:25 PM »

Thanks 1972vet - I misunderstood the blue caveat (thought I got a checkbox or something to select whether I wanted recovery console). And I looked in my manual, and it is exactly as you said.

Okay, due to stupidity on my part, I actually thought Windows Defender was the same thing as the Windows firewall, so accidentally ran Combofix with Defender enabled. It deleted some files. I then followed the instructions properly, and ran the scan again.

I guess you'll need to see both now. Sorry!

So here's log 1 (where I accidentally left Defender enabled):

ComboFix 12-04-16.02 - Neil 04/16/2012 20:24:11.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3839.2945 [GMT 1:00]
Running from: c:\users\Neil\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Common Files\packardbell.ico
c:\users\Neil\g2mdlhlpx.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-16 to 2012-04-16 )))))))))))))))))))))))))))))))
.
.
2012-04-16 19:27 . 2012-04-16 19:27   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-04-15 13:14 . 2012-04-15 13:14   --------   d-----w-   c:\users\Neil\AppData\Roaming\SUPERAntiSpyware.com
2012-04-15 13:13 . 2012-04-15 13:14   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-04-15 13:13 . 2012-04-15 13:13   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2012-04-13 13:41 . 2012-03-14 03:27   8669240   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{A2D5C0DD-B1C0-49F5-9C80-5135C18CB5EF}\mpengine.dll
2012-04-13 01:57 . 2012-03-06 06:53   5559152   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-04-13 01:57 . 2012-03-06 05:59   3968368   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2012-04-13 01:57 . 2012-03-06 05:59   3913072   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2012-04-13 01:56 . 2012-03-01 06:46   23408   ----a-w-   c:\windows\system32\drivers\fs_rec.sys
2012-04-13 01:56 . 2012-03-01 06:33   81408   ----a-w-   c:\windows\system32\imagehlp.dll
2012-04-13 01:56 . 2012-03-01 05:33   159232   ----a-w-   c:\windows\SysWow64\imagehlp.dll
2012-04-13 01:56 . 2012-03-01 06:38   220672   ----a-w-   c:\windows\system32\wintrust.dll
2012-04-13 01:56 . 2012-03-01 06:28   5120   ----a-w-   c:\windows\system32\wmi.dll
2012-04-13 01:56 . 2012-03-01 05:37   172544   ----a-w-   c:\windows\SysWow64\wintrust.dll
2012-04-13 01:56 . 2012-03-01 05:29   5120   ----a-w-   c:\windows\SysWow64\wmi.dll
2012-04-12 23:20 . 2012-04-12 23:25   --------   d-----w-   c:\programdata\HP
2012-04-04 05:53 . 2012-04-04 05:53   182160   ----a-w-   c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2012-04-02 11:02 . 2012-04-02 11:02   --------   d-----w-   c:\program files (x86)\Common Files\Java
2012-04-02 11:02 . 2012-04-02 11:02   --------   d-----w-   c:\program files (x86)\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 14:56 . 2009-12-03 09:52   24904   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-04-02 11:02 . 2010-07-11 14:36   472808   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2012-02-23 09:18 . 2009-11-01 14:52   279656   ------w-   c:\windows\system32\MpSigStub.exe
2012-02-17 06:38 . 2012-03-14 09:52   1031680   ----a-w-   c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 09:52   826880   ----a-w-   c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 09:52   210944   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 09:52   23552   ----a-w-   c:\windows\system32\drivers\tdtcp.sys
2012-02-15 18:03 . 2011-10-20 09:23   132320   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2012-02-10 06:36 . 2012-03-14 10:03   1544192   ----a-w-   c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 10:03   1077248   ----a-w-   c:\windows\SysWow64\DWrite.dll
2012-02-07 10:02 . 2012-02-07 10:02   1070352   ----a-w-   c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34 . 2012-03-14 10:03   3145728   ----a-w-   c:\windows\system32\win32k.sys
2012-01-25 06:38 . 2012-03-14 09:53   77312   ----a-w-   c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-14 09:53   149504   ----a-w-   c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-14 09:53   9216   ----a-w-   c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Global Registration"="c:\program files (x86)\Packard Bell\Registration\GREG.exe" [2009-07-31 2844704]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-15 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 4785536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Packard Bell Photo Frame"="c:\program files (x86)\Packard Bell Photo Frame\ButtonMonitor.exe" [2009-07-20 124416]
"SSBkgdUpdate"="c:\program files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files (x86)\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ     kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-20 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-20 135664]
R3 Partner Service;Partner Service;c:\programdata\Partner\Partner.exe [2009-08-15 332272]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys

S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-12-08 169312]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-11 86224]
S2 Greg_Service;GRegService;c:\program files (x86)\Packard Bell\Registration\GregHSRW.exe [2009-06-04 1150496]
S2 Updater Service;Updater Service;c:\program files\Packard Bell\Packard Bell Updater\UpdaterService.exe [2009-07-04 240160]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys

.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-20 12:08]
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-20 12:08]
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1477940481-1996178054-2997081552-1000Core.job
- c:\users\Neil\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-09 18:52]
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1477940481-1996178054-2997081552-1000UA.job
- c:\users\Neil\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-09 18:52]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2009-08-15 08:25   750064   ----a-w-   c:\programdata\Partner\Partner64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-06-16 7883296]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-06-16 1833504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=ixtreme_m3720&r=173611090206p0345v1i5y47j19219
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Neil\AppData\Roaming\Mozilla\Firefox\Profiles\higa72lc.default\
FF - prefs.js: browser.startup.homepage -
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1477940481-1996178054-2997081552-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1477940481-1996178054-2997081552-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
.
**************************************************************************
.
Completion time: 2012-04-16 20:32:27 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-16 19:32
.
Pre-Run: 255,908,413,440 bytes free
Post-Run: 255,750,742,016 bytes free
.
- - End Of File - - 09F98141759263379621CD3EBDF76D2B

And here's log 2 (where I followed the instruction properly!):

ComboFix 12-04-16.02 - Neil 04/16/2012 20:49:36.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3839.2639 [GMT 1:00]
Running from: c:\users\Neil\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-16 to 2012-04-16 )))))))))))))))))))))))))))))))
.
.
2012-04-16 19:52 . 2012-04-16 19:52   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-04-15 13:14 . 2012-04-15 13:14   --------   d-----w-   c:\users\Neil\AppData\Roaming\SUPERAntiSpyware.com
2012-04-15 13:13 . 2012-04-15 13:14   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-04-15 13:13 . 2012-04-15 13:13   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2012-04-13 13:41 . 2012-03-14 03:27   8669240   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{A2D5C0DD-B1C0-49F5-9C80-5135C18CB5EF}\mpengine.dll
2012-04-13 01:57 . 2012-03-06 06:53   5559152   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-04-13 01:57 . 2012-03-06 05:59   3968368   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2012-04-13 01:57 . 2012-03-06 05:59   3913072   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2012-04-13 01:56 . 2012-03-01 06:46   23408   ----a-w-   c:\windows\system32\drivers\fs_rec.sys
2012-04-13 01:56 . 2012-03-01 06:33   81408   ----a-w-   c:\windows\system32\imagehlp.dll
2012-04-13 01:56 . 2012-03-01 05:33   159232   ----a-w-   c:\windows\SysWow64\imagehlp.dll
2012-04-13 01:56 . 2012-03-01 06:38   220672   ----a-w-   c:\windows\system32\wintrust.dll
2012-04-13 01:56 . 2012-03-01 06:28   5120   ----a-w-   c:\windows\system32\wmi.dll
2012-04-13 01:56 . 2012-03-01 05:37   172544   ----a-w-   c:\windows\SysWow64\wintrust.dll
2012-04-13 01:56 . 2012-03-01 05:29   5120   ----a-w-   c:\windows\SysWow64\wmi.dll
2012-04-12 23:20 . 2012-04-12 23:25   --------   d-----w-   c:\programdata\HP
2012-04-04 05:53 . 2012-04-04 05:53   182160   ----a-w-   c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2012-04-02 11:02 . 2012-04-02 11:02   --------   d-----w-   c:\program files (x86)\Common Files\Java
2012-04-02 11:02 . 2012-04-02 11:02   --------   d-----w-   c:\program files (x86)\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 14:56 . 2009-12-03 09:52   24904   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-04-02 11:02 . 2010-07-11 14:36   472808   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2012-02-23 09:18 . 2009-11-01 14:52   279656   ------w-   c:\windows\system32\MpSigStub.exe
2012-02-17 06:38 . 2012-03-14 09:52   1031680   ----a-w-   c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 09:52   826880   ----a-w-   c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 09:52   210944   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 09:52   23552   ----a-w-   c:\windows\system32\drivers\tdtcp.sys
2012-02-15 18:03 . 2011-10-20 09:23   132320   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2012-02-10 06:36 . 2012-03-14 10:03   1544192   ----a-w-   c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 10:03   1077248   ----a-w-   c:\windows\SysWow64\DWrite.dll
2012-02-07 10:02 . 2012-02-07 10:02   1070352   ----a-w-   c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34 . 2012-03-14 10:03   3145728   ----a-w-   c:\windows\system32\win32k.sys
2012-01-25 06:38 . 2012-03-14 09:53   77312   ----a-w-   c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-14 09:53   149504   ----a-w-   c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-14 09:53   9216   ----a-w-   c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-16_19.29.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-15 08:37 . 2012-04-16 19:39   29044 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-16 19:39   31160 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-11-01 14:20 . 2012-04-16 19:39   14220 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1477940481-1996178054-2997081552-1000_UserData.bin
+ 2009-11-01 14:45 . 2012-04-16 19:37   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-01 14:45 . 2012-04-16 10:01   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-01 14:45 . 2012-04-16 19:37   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-01 14:45 . 2012-04-16 10:01   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-01 14:45 . 2012-04-16 10:01   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-01 14:45 . 2012-04-16 19:37   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-01 14:15 . 2012-04-16 19:06   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-01 14:15 . 2012-04-16 19:37   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-01 14:15 . 2012-04-16 19:06   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-01 14:15 . 2012-04-16 19:37   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-04-16 19:53 . 2012-04-16 19:53   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-16 19:28 . 2012-04-16 19:28   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-16 19:53 . 2012-04-16 19:53   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-16 19:28 . 2012-04-16 19:28   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-04-16 12:04   628414 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-16 19:41   628414 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-16 19:41   110598 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-04-16 12:04   110598 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-04-16 19:28   314148 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-04-16 19:53   314148 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-11-25 01:16 . 2012-04-16 19:53   1428284 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1477940481-1996178054-2997081552-1000-8192.dat
- 2010-11-25 01:16 . 2012-04-16 19:28   1428284 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1477940481-1996178054-2997081552-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Global Registration"="c:\program files (x86)\Packard Bell\Registration\GREG.exe" [2009-07-31 2844704]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-15 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 4785536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Packard Bell Photo Frame"="c:\program files (x86)\Packard Bell Photo Frame\ButtonMonitor.exe" [2009-07-20 124416]
"SSBkgdUpdate"="c:\program files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files (x86)\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ     kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-20 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-20 135664]
R3 Partner Service;Partner Service;c:\programdata\Partner\Partner.exe [2009-08-15 332272]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys

S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-12-08 169312]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-11 86224]
S2 Greg_Service;GRegService;c:\program files (x86)\Packard Bell\Registration\GregHSRW.exe [2009-06-04 1150496]
S2 Updater Service;Updater Service;c:\program files\Packard Bell\Packard Bell Updater\UpdaterService.exe [2009-07-04 240160]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys

.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-20 12:08]
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-20 12:08]
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1477940481-1996178054-2997081552-1000Core.job
- c:\users\Neil\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-09 18:52]
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1477940481-1996178054-2997081552-1000UA.job
- c:\users\Neil\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-09 18:52]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2009-08-15 08:25 750064 ----a-w- c:\programdata\Partner\Partner64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-06-16 7883296]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-06-16 1833504]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=ixtreme_m3720&r=173611090206p0345v1i5y47j19219
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Neil\AppData\Roaming\Mozilla\Firefox\Profiles\higa72lc.default\
FF - prefs.js: browser.startup.homepage -
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1477940481-1996178054-2997081552-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1477940481-1996178054-2997081552-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
.
**************************************************************************
.
Completion time: 2012-04-16 20:56:31 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-16 19:56
ComboFix2.txt 2012-04-16 19:32
.
Pre-Run: 255,845,531,648 bytes free
Post-Run: 255,392,694,272 bytes free
.
- - End Of File - - DCEBADD401476BD62811AC086F0619FE

1972vet · « **Reply #5 on:** April 16, 2012, 02:44:33 PM »

Looks fine on my end with the exception of the couple of registry keys from which you are locked out. Fact is, while you as administrator are locked out, so is your anti-virus. I doubt though that it relates to the alleged "hidden" files. We'll see...but I suspect Avira is complaining of a non-issue that may resolve when it's updated next.

Please open a blank Notepad by clicking start-->run...Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

KILLALL::

reglock::
[HKEY_USERS\S-1-5-21-1477940481-1996178054-2997081552-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
[HKEY_USERS\S-1-5-21-1477940481-1996178054-2997081552-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

Imernillo · « **Reply #6 on:** April 16, 2012, 03:30:22 PM »

Thanks 1972vet. Here's the next logfile you asked for:

ComboFix 12-04-16.02 - Neil 04/16/2012 21:55:47.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3839.2610 [GMT 1:00]
Running from: c:\users\Neil\Desktop\ComboFix.exe
Command switches used :: c:\users\Neil\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-16 to 2012-04-16 )))))))))))))))))))))))))))))))
.
.
2012-04-16 20:59 . 2012-04-16 20:59   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-04-15 13:14 . 2012-04-15 13:14   --------   d-----w-   c:\users\Neil\AppData\Roaming\SUPERAntiSpyware.com
2012-04-15 13:13 . 2012-04-15 13:14   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-04-15 13:13 . 2012-04-15 13:13   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2012-04-13 13:41 . 2012-03-14 03:27   8669240   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{A2D5C0DD-B1C0-49F5-9C80-5135C18CB5EF}\mpengine.dll
2012-04-13 01:57 . 2012-03-06 06:53   5559152   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-04-13 01:57 . 2012-03-06 05:59   3968368   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2012-04-13 01:57 . 2012-03-06 05:59   3913072   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2012-04-13 01:56 . 2012-03-01 06:46   23408   ----a-w-   c:\windows\system32\drivers\fs_rec.sys
2012-04-13 01:56 . 2012-03-01 06:33   81408   ----a-w-   c:\windows\system32\imagehlp.dll
2012-04-13 01:56 . 2012-03-01 05:33   159232   ----a-w-   c:\windows\SysWow64\imagehlp.dll
2012-04-13 01:56 . 2012-03-01 06:38   220672   ----a-w-   c:\windows\system32\wintrust.dll
2012-04-13 01:56 . 2012-03-01 06:28   5120   ----a-w-   c:\windows\system32\wmi.dll
2012-04-13 01:56 . 2012-03-01 05:37   172544   ----a-w-   c:\windows\SysWow64\wintrust.dll
2012-04-13 01:56 . 2012-03-01 05:29   5120   ----a-w-   c:\windows\SysWow64\wmi.dll
2012-04-12 23:20 . 2012-04-12 23:25   --------   d-----w-   c:\programdata\HP
2012-04-04 05:53 . 2012-04-04 05:53   182160   ----a-w-   c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2012-04-02 11:02 . 2012-04-02 11:02   --------   d-----w-   c:\program files (x86)\Common Files\Java
2012-04-02 11:02 . 2012-04-02 11:02   --------   d-----w-   c:\program files (x86)\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 14:56 . 2009-12-03 09:52   24904   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-04-02 11:02 . 2010-07-11 14:36   472808   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2012-02-23 09:18 . 2009-11-01 14:52   279656   ------w-   c:\windows\system32\MpSigStub.exe
2012-02-17 06:38 . 2012-03-14 09:52   1031680   ----a-w-   c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 09:52   826880   ----a-w-   c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 09:52   210944   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 09:52   23552   ----a-w-   c:\windows\system32\drivers\tdtcp.sys
2012-02-15 18:03 . 2011-10-20 09:23   132320   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2012-02-10 06:36 . 2012-03-14 10:03   1544192   ----a-w-   c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 10:03   1077248   ----a-w-   c:\windows\SysWow64\DWrite.dll
2012-02-07 10:02 . 2012-02-07 10:02   1070352   ----a-w-   c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34 . 2012-03-14 10:03   3145728   ----a-w-   c:\windows\system32\win32k.sys
2012-01-25 06:38 . 2012-03-14 09:53   77312   ----a-w-   c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-14 09:53   149504   ----a-w-   c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-14 09:53   9216   ----a-w-   c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-16_19.29.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-15 08:37 . 2012-04-16 20:01   29464 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-16 20:01   31240 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-11-01 14:20 . 2012-04-16 20:01   14284 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1477940481-1996178054-2997081552-1000_UserData.bin
+ 2009-11-01 14:45 . 2012-04-16 20:00   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-01 14:45 . 2012-04-16 10:01   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-01 14:45 . 2012-04-16 20:00   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-01 14:45 . 2012-04-16 10:01   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-01 14:45 . 2012-04-16 10:01   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-01 14:45 . 2012-04-16 20:00   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-01 14:15 . 2012-04-16 19:06   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-01 14:15 . 2012-04-16 20:00   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-01 14:15 . 2012-04-16 19:06   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-01 14:15 . 2012-04-16 20:00   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-04-16 20:59 . 2012-04-16 20:59   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-16 19:28 . 2012-04-16 19:28   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-16 20:59 . 2012-04-16 20:59   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-16 19:28 . 2012-04-16 19:28   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-04-16 12:04   628414 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-16 20:04   628414 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-16 20:04   110598 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-04-16 12:04   110598 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-04-16 19:28   314148 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-04-16 20:59   314148 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-11-25 01:16 . 2012-04-16 20:59   1428284 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1477940481-1996178054-2997081552-1000-8192.dat
- 2010-11-25 01:16 . 2012-04-16 19:28   1428284 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1477940481-1996178054-2997081552-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Global Registration"="c:\program files (x86)\Packard Bell\Registration\GREG.exe" [2009-07-31 2844704]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-15 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 4785536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Packard Bell Photo Frame"="c:\program files (x86)\Packard Bell Photo Frame\ButtonMonitor.exe" [2009-07-20 124416]
"SSBkgdUpdate"="c:\program files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files (x86)\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ     kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-20 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-20 135664]
R3 Partner Service;Partner Service;c:\programdata\Partner\Partner.exe [2009-08-15 332272]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys

S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-12-08 169312]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-11 86224]
S2 Greg_Service;GRegService;c:\program files (x86)\Packard Bell\Registration\GregHSRW.exe [2009-06-04 1150496]
S2 Updater Service;Updater Service;c:\program files\Packard Bell\Packard Bell Updater\UpdaterService.exe [2009-07-04 240160]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys

.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-20 12:08]
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-20 12:08]
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1477940481-1996178054-2997081552-1000Core.job
- c:\users\Neil\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-09 18:52]
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1477940481-1996178054-2997081552-1000UA.job
- c:\users\Neil\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-09 18:52]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2009-08-15 08:25 750064 ----a-w- c:\programdata\Partner\Partner64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-06-16 7883296]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-06-16 1833504]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=ixtreme_m3720&r=173611090206p0345v1i5y47j19219
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Neil\AppData\Roaming\Mozilla\Firefox\Profiles\higa72lc.default\
FF - prefs.js: browser.startup.homepage -
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
.
**************************************************************************
.
Completion time: 2012-04-16 22:02:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-16 21:02
ComboFix2.txt 2012-04-16 19:56
ComboFix3.txt 2012-04-16 19:32
.
Pre-Run: 255,476,490,240 bytes free
Post-Run: 255,392,550,912 bytes free
.
- - End Of File - - 4F31700A25B962CCD131FAB2CE21A7DD

1972vet · « **Reply #7 on:** April 16, 2012, 06:15:56 PM »

Thanks. The locked registry keys were the only issue I saw in the log. I researched your issue on Avira's forum and found another user who posted about it. According to the moderator in This Forum, it's a known issue and they are working on it. I used Avira for a couple years and it was always my experience that issues were worked out in short order. I would imagine, Avira's updates over the next few, should resolve this.

Imernillo · « **Reply #8 on:** April 16, 2012, 06:51:50 PM »

Awesome! I really appreciate your help, and it looks like your gut instinct was correct right from the beginning regarding the hidden objects. Good call.

Thanks also for helping me clear up those registry keys.

Do I need to do anything else for the time being? Or will it simply be a matter of waiting for the folks at Avira to implement a fix?

It would also be useful for me, at this point, to think about optimizing my protection (while it's on my mind). I think I read on other threads here that maybe the Windows Firewall is not great. Would you advise me to install something a bit meatier (eg Zone Alarm or other)?

Should I also uninstall Combofix and DDS now - and delete logfiles etc?

Sorry, tons of questions - last one: am I okay to use my system as normal now, including financial websites? I've steered clear of logging into banking etc since I got the hidden objects warnings, just in case there were any keylogging bugs lurking!

Thanks again for all your help and advice. I really appreciate your taking the time to do that.

1972vet · « **Reply #9 on:** April 17, 2012, 02:16:25 AM »

Quote from: Imernillo on April 16, 2012, 06:51:50 PM

Awesome! I really appreciate your help, and it looks like your gut instinct was correct right from the beginning regarding the hidden objects. Good call.

Thanks also for helping me clear up those registry keys.

Do I need to do anything else for the time being? Or will it simply be a matter of waiting for the folks at Avira to implement a fix?
Nothing else needs to be done for now, and waiting on Avira is just the key element. It shouldn't be long before they achieve and implement the fix for the false positive(s).

It would also be useful for me, at this point, to think about optimizing my protection (while it's on my mind). I think I read on other threads here that maybe the Windows Firewall is not great. Would you advise me to install something a bit meatier (eg Zone Alarm or other)?
In earlier versions of Windows, this was the case, but for Windows 7 and Vista, the native firewall is quite sufficient for home users.

Should I also uninstall Combofix and DDS now - and delete logfiles etc?
...read below.

Sorry, tons of questions - last one: am I okay to use my system as normal now, including financial websites? I've steered clear of logging into banking etc since I got the hidden objects warnings, just in case there were any keylogging bugs lurking!
Yes. Things look fine with your system as it is.

Thanks again for all your help and advice. I really appreciate your taking the time to do that.

You're quite welcome indeed, very glad to help...You can delete the Downloaded DDS file and associated logs...DDS.txt and Attach.txt. Next, please click start, then in the "Search programs and files" box, type Run. When the "Run" box opens, copy/paste the following, then press the Enter key:
ComboFix /Uninstall

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

To assist in the prevention of malicious software intrusion and infections, you can begin by reading "How to boost your malware defense and protect your PC"...

Please remember to keep antivirus software on board and always use it's real time protection feature. Run a complete system scan at least once a week...preferably in Safe mode.

A word of caution
Security vendors, in recent years, have partnered with "Ask.com" in providing the "Ask Toolbar" bundled with their download(s).

Although the toolbar is considered to be a Legitimate program, it is nonetheless questionable as to it's behavior. It is alleged to be spyware/adware as the behavior of this application tracks a user's history and sends "search" information to it's servers in order to provide a user with targeted search results, many of these results may also be for questionable web sites. In fairness, one should keep in mind, google does the same thing regarding search results.

This tracking is considered by many of us in the security field, to be offensive.

Some of the "Download links" that I may provide, may also contain this program bundled with it. If you choose not to use it, the bundled software will always contain an "Opt Out" measure via some checkbox. The user can check (or uncheck) this box to prevent the download.

If a user isn't cautious and may have mistakenly installed this program, it can easily be removed via the "Uninstall" string provided with the software. Detailed instructions how to remove the program can be found Here.

If your antivirus program is a licensed version that is about to expire, you can consider using one of these available free on the public domain:

Microsoft Security Essentials
AntiVir Personal Edition Classic
Avast! 4 Home Edition

Those of us in the online safety/security community have tried and tested these programs to determine their abilities. Having in mind, nothing is ever a guarantee regarding computer security, these programs nevertheless, combined with the rest of these recommendations are certain to have an impact in helping to keep your system running free and clear. I personally have been completely satisfied from having tested and used each one of those at one time or another.

Immunize your browser by installing Spywareblaster. What does it do?

Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Web of Trust, (WOT,) warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

Green to go
Yellow for caution
Red to stop

WOT has an add-on available for both Firefox and IE.

Install the Winpatrol security monitor utility. WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. What I hear most from users is how much they like the startup control feature and it's ease of use. Need help understanding something about Winpatol? Here it is.

Windows Vista and Windows 7 have a software firewall built in and activated by default. This native firewall is a big improvement and is fine by itself. However, there are third party software Firewalls that offer a bit more configuration options for those who need that (usually corporate environments).

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason. I should also mention, if you choose to use a third party firewall, make certain the Windows firewall is turned off to prevent conflict issues.

...and please remember, you should have only one of these types of third party firewalls running on board:

Zone Alarm...Windows 2k/XP/Vista

Outpost Free

Comodo...I highly recommend this firewall, but it may just be best suited for advanced users.

Stay updated with the most recent Windows patches using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. Please avoid using the "registry" cleaning feature of this utility unless you consider yourself an expert. Contrary to popular thought, the Windows Registry has no need of any "cleaning". I personally challenge anyone to show a substantial benefit from having used any of these "registry cleaning" programs. There is none. Any difference at all is so miniscule that it's nearly impossible to calculate.

On the flip side, rather than any benefit, there is the possibility of slicing out enough pieces of the registry to render things useless...and that includes the operating system.

By default, CCleaner will ask you if you want to backup what is removed, and I suggest you do just that. If you have already used this option and found that something no longer works properly, please find the backup that was created and use it to restore that particular item. Remember, using this to clean the disk is absolutely useful and beneficial. A novice needs only to use the disk cleaning feature...and avoid the registry cleaning aspect. It's not difficult...just don't bother to click the Registry button on the menu.

CCleaner is an excellent...and fast disk cleaning utility that can easily be configured to suit your needs. Often, users find a simple reboot resolves a quirky performance issue which can come about as a result of the collection of temp files while browsing the web...and if you configure CCleaner to run on start up, then your system could be kept running fast and clean with each new user session.

The Yahoo Toolbar is included by default during the installation of the CCleaner utility...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...last download link at the bottom of that page)...

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

Don't forget to check your system's "defragmenter" settings. With Windows Vista, you have the option to set this as a scheduled event. It is best to have your system's "defrag" function scheduled for at least once a week.

So how did I get infected in the first place?
Regards, and Happy Surfing!

Imernillo · « **Reply #10 on:** April 17, 2012, 04:33:47 AM »

Thanks for the highly detailed response, I'll get some of those apps installed once the current problem is fully resolved.

Okay, one more problem has appeared after the uninstall of Combofix. I hadn't realised it was going to need Avira disabled, and it gave me a popup telling me to do that during the uninstall. I went ahead (as I did for the scans) and disabled my firewall and Windows Defender also.

The uninstall completed successfully. However, while I could re-enable Avira and the firewall, I am now unable to do anything with Windows Defender.

When I open up the program box, it says:

"A problem caused this program's service to stop. To start the service, click the Start now button or restart your computer."

When I try hitting the Start now button, I just get the spinning circle, and eventually it times out:

"This operation returned because the timeout period expired. (Error Code: 0x800705b4)"

I tried rebooting the computer a couple of times, but can't seem to get the Defender started again. I did check around and there seems to be incompatibilities between Defender and other a/v software (eg Microsoft Security Essentials, Norton, etc) but it has always worked fine with Avira.

I also disabled the function in SUPERAntiSpyware which runs at start-up, as that is something new (I only installed that program on this computer over the weekend). It didn't work though (I thought it might have been conflicting somehow).

I was going to take my computer back to a previous restore point, but thought better of it, and instead decided to post here for advice - just in case I screw things up even worse!

(The alternative would be if you could suggest a program which does the same thing as Windows Defender, but which is also compatible with Avira and Windows 7 Firewall.)

Thanks again.

1972vet · « **Reply #11 on:** April 17, 2012, 06:13:17 AM »

It is my opinion these days, that Microsoft Security Essentials is better than Avira...for several reasons. By the way, if you were to choose to uninstall Avira and start using Microsoft Security Essentials (MSE), then I should advise you that the Windows Defender program would be disabled during the installation of MSE. The reason for that is because it's scan engine includes the Windows Defender scan engine with it so Windows Defender, running in tandem with MSE would just be a needless redundancy.

As to your issue at hand now, you can click the start button then type the following in the "Search programs and files..." box:
Services.msc

...then, click on the "services.msc" icon that the search returns (should be located at the top of that windows). When the "Services" window opens, click the "Standard" tab at the bottom to expand the window, then scroll down the list of services to locate "Windows Defender".

Double-click on the Windows Defender service name and the properties box will open. Make sure the "Startup type..." is set to "Automatic". You can also try to click the Start button. Click "Apply" and "OK", then close the properties box and services window, then reboot to properly record those changes to the hard disk.

Post back your results. Thanks!

Imernillo · « **Reply #12 on:** April 17, 2012, 06:55:17 AM »

Thanks 1972vet. The Startup type was set as Automatic, but I selected it again just to make sure. When I clicked on Start, it tried to do so, and then gave me an error:

"Windows could not start the Windows Defender service on Local Computer.

Error 126: The specified module could not be found."

Maybe you could provide me with a few of your reasons for feeling MSE is better than Avira these days. I'm certainly not loyal to any 'brand' where a/v software is concerned (having used Norton and AVG in the past as well as Avira for the last few years) - and I'd be happy to switch over to MSE if it's the best out there at the moment.

(Incidentally, when searching for a solution to the Defender problem, most of the info I found was from people who already had MSE installed, which as you mentioned in your last post switches off the regular Windows Defender.)

1972vet · « **Reply #13 on:** April 17, 2012, 06:35:31 PM »

Quote from: Imernillo on April 17, 2012, 06:55:17 AM

Thanks 1972vet. The Startup type was set as Automatic, but I selected it again just to make sure. When I clicked on Start, it tried to do so, and then gave me an error:

"Windows could not start the Windows Defender service on Local Computer.

Error 126: The specified module could not be found."

Maybe you could provide me with a few of your reasons for feeling MSE is better than Avira these days. I'm certainly not loyal to any 'brand' where a/v software is concerned (having used Norton and AVG in the past as well as Avira for the last few years) - and I'd be happy to switch over to MSE if it's the best out there at the moment.

(Incidentally, when searching for a solution to the Defender problem, most of the info I found was from people who already had MSE installed, which as you mentioned in your last post switches off the regular Windows Defender.)

Sure thing. First, let's address the Windows Defender error. As there is nothing we did which could have caused the issue, the only possibility then would just be some anomaly occurring during a reboot. It happens...now let's fix it:

Click "start" then type CMD in the "Find programs and files..." box. Then right-click on the "cmd.exe" icon and select Run as administrator". Next, when the command prompt opens, copy and paste the following text and press the "Enter" key:
SFC /Scannow

The sfc /scannow command scans all protected system files and replaces incorrect versions with correct Microsoft versions. When the scan completes, reboot the system. Windows Defender should now be able to run.

As to your MSE query, shortly after it's preview, a ZDNet article showed how it compared in relation to "paid" antivirus software.

More recently, TechRadar published it's review.

The more detailed information regarding Microsoft's Security Essentials is outlined well in the WikiPedia. Plainly, Microsoft works hard to maintain it's ranking which from it's beginning, ranked number one in North America, and number two in the world.

You'll find other's who have reported on MSE's performance ranking that share the same opinion. I might add, there are still others who have differing views.

My concern, "Consumer Security" focuses, for the most part, on the novice home user. For them, I recommend MSE hands down. If you (editorially speaking) consider yourself a step ahead of the novice, or are indeed an expert, then investigating what precisely fits your particular needs for your setup is a simple task for you (again, editorially speaking) and following that pursuit is fine as well. In that case however, it may also be determined that Microsoft's Security Essentials (or ForeFront, depending on the number of systems your company has), is the better solution.

I don't want to appear as though I'm trying to "sell" anything because I only recommend "Free" products. It should also be noted that what I recommend, I have also tested and found to be the superior product for novice home users under the most general type of home use environment(s)...and at that particular period in time.

I have also noted, over the couple years past, that Microsoft Security Essentials has been a tad better than "neck and neck" when it comes to any of the paid competitors "free" versions.

Thus, it is my learned opinion, at this period in time, that the better of the various free antivirus products available is...Microsoft Security Essentials.

Imernillo · « **Reply #14 on:** April 18, 2012, 01:44:33 AM »

Thanks! Once we can clear up the Defender problem, I'll be upgrading to MSE - it will also be nice to get rid of those popup ads that Avira uses to sell its premium product every time the definitions get updated.

Okay, I ran sfc /scannow and it reported that there were no problems. When I rebooted and went into Windows Defender, I was up against the same issue as before:

"A problem caused this program's service to stop. To start the service, click the Start now button or restart your computer."

When I try hitting the Start now button, I just get the spinning circle, and eventually it times out:

"This operation returned because the timeout period expired. (Error Code: 0x800705b4)"

News:

Author Topic: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD... (Read 2471 times)

Imernillo

[Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

1972vet

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

Imernillo

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

1972vet

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

Imernillo

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

1972vet

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

Imernillo

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

1972vet

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

Imernillo

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

1972vet

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

Imernillo

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

1972vet

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

Imernillo

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

1972vet

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...

Imernillo

Re: [Resolved] Avira finds 84 hidden objects, suggests Rescue CD...