Ried - PC#2

[red_machine]

Ried,
This is my wife's desktop. Her computer has some re-directs, plus the same ads and blocked sites that my laptop was experiencing. Her computer has probably been infected for months...I don't really pay much attention to it - she has a tendency to have more "oops" and "ooohhhh" moments.
Here is the DDS log:

DDS (Version 1.0) - NTFSx86
Run by Steph at 18:55:24.25 on Mon 11/10/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.356 [GMT -6:00]

=============== Created Last 30 ================

2008-11-07 06:32 4,050 a------- c:\windows\system32\tmp.reg
2008-11-06 22:29 <DIR> --d----- c:\docume~1\steph\applic~1\Malwarebytes
2008-11-06 22:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-04 22:20 <DIR> --d----- c:\windows\system32\NtmsData
2008-10-23 11:02 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-10-14 17:27 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2008-10-14 17:26 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2008-10-14 17:26 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 17:26 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 17:26 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-14 17:25 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe

================== Find3M ==================

2008-11-10 18:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-11-04 22:14 <DIR> --d----- c:\program files\HP
2008-11-04 22:13 <DIR> --d----- c:\docume~1\steph\applic~1\SUPERAntiSpyware.com
2008-11-04 22:13 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-09-15 06:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-06 11:26 86,327 ac------ c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-08-26 01:24 826,368 a------- c:\windows\system32\wininet.dll
2008-08-14 04:11 2,189,184 a------- c:\windows\system32\ntoskrnl.exe
2008-08-14 03:33 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2008-02-17 21:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-02-02 23:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft
2008-01-02 15:29 <DIR> --d----- c:\docume~1\steph\applic~1\extensions
2006-11-06 20:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Creative Memories
2006-11-06 20:31 <DIR> --d----- c:\docume~1\steph\applic~1\Creative Memories
2006-04-15 09:19 <DIR> --d----- c:\docume~1\steph\applic~1\GretagMacbeth
2006-04-15 09:16 <DIR> --d----- c:\docume~1\steph\applic~1\Network Associates
2006-04-15 07:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Network Associates
2006-04-15 00:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Windows Genuine Advantage
2006-04-14 23:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\nView_Profiles

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: {F2CF5485-4E02-4F68-819C-B92DE9277049} - c:\windows\system32\ieframe.dll
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [McAfeeFireTray] c:\program files\network associates\mcafee desktop firewall for windows xp\Firetray.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobe reader speed launch.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin wireless utility.lnk - c:\program files\belkin\pci f5d7000\wireless utility\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hp digital imaging monitor.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logo calibration loader.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\calibrationloader\CalibrationLoader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photo loader supervisory.lnk - c:\program files\casio\photo loader\Plauto.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\profilereminder.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\ProfileReminder.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office11\MSOXMLMF.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - c:\windows\system32\msvidctl.dll
Handler: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - c:\progra~1\common~1\micros~1\webcom~1\10\OWC10.DLL
Handler: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - c:\progra~1\common~1\micros~1\webcom~1\11\OWC11.DLL
SSODL: {e57ce738-33e8-4c51-8354-bb4de9d215d1} - c:\windows\system32\upnpui.dll

============= SERVICES / DRIVERS ==============

R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\eyeonedp.sys
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.SYS

============= FINISH: 18:55:54.50 ===============

[Ried]

Hi red_machine,

If it's any consolation, I do see what's going on here.

We'll begin with ComboFix. Download the tool from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on combofix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[red_machine]

ComboFix 08-11-10.01 - Steph 2008-11-10 22:49:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.729 [GMT -6:00]
Running from: c:\documents and settings\Steph\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI

.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-10 19:02 . 2008-11-10 20:47 250 --a------ c:\windows\gmer.ini
2008-11-07 06:32 . 2008-11-07 06:32 4,050 --a------ c:\windows\system32\tmp.reg
2008-11-06 22:33 . 2008-11-06 22:33 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-06 22:32 . 2008-11-06 22:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 22:32 . 2008-11-06 22:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Simply Super Software
2008-11-06 22:29 . 2008-11-06 22:29 <DIR> d-------- c:\documents and settings\Steph\Application Data\Malwarebytes
2008-11-06 22:29 . 2008-11-06 22:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-04 22:20 . 2008-11-04 22:21 <DIR> d-------- c:\windows\system32\NtmsData
2008-10-23 11:02 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 17:27 . 2008-09-08 04:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-14 17:26 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 17:26 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 17:26 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-14 17:26 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-14 17:25 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 00:43 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-10 23:27 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-05 04:14 --------- d-----w c:\program files\HP
2008-11-05 04:13 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-05 04:13 --------- d-----w c:\documents and settings\Steph\Application Data\SUPERAntiSpyware.com
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-01-02 21:29 96,061 -c--a-w c:\documents and settings\Steph\Application Data\xpti.dat
2008-01-02 21:29 168,364 -c--a-w c:\documents and settings\Steph\Application Data\compreg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-03-09 7561216]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-03-09 86016]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-10-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2004-02-19 147514]
"McAfeeFireTray"="c:\program files\Network Associates\McAfee Desktop Firewall for Windows XP\Firetray.exe" [2005-04-12 655420]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-06 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-06 659456]
"nwiz"="nwiz.exe" [2006-03-09 c:\windows\system32\nwiz.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Belkin Wireless Utility.lnk - c:\program files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-08-18 1388544]
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-05-28 241664]
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2006-04-15 708608]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2006-06-12 229376]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2006-04-15 954368]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpoews01.exe"=
"c:\\WINDOWS\\system32\\hphmon06.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\DRIVERS\SI3112r.sys [2006-01-12 102528]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-11-01 10368]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2004-07-16 14416]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\DRIVERS\BLKWGD.sys [2005-06-01 463872]
S3 eyeonedp;eye-one display;c:\windows\system32\DRIVERS\eyeonedp.sys [2006-01-30 44344]
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\System32\wlanndi5.SYS [2004-04-21 16384]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-06 22:53]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Steph\Application Data\Mozilla\Firefox\Profiles\grh5y4bb.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.techsupportforum.com/security-center/hijackthis-log-help/311570-ried-pc-2-a.html#post1796710
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 22:50:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-10 22:51:08
ComboFix-quarantined-files.txt 2008-11-11 04:51:03

Pre-Run: 20,062,470,144 bytes free
Post-Run: 20,049,661,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

123 --- E O F --- 2008-10-24 02:13:39

[Ried]

This PC is looking good. How is it behaving after resetting the router?

What needs to be done is online scans for both XP machines.

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply, along with an update on system behavior.

[red_machine]

Kaspersky scan

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, November 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, November 11, 2008 04:09:51
Records in database: 1379090
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 55936
Threat name: 6
Infected objects: 15
Suspicious objects: 2
Duration of the scan: 01:29:08


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Steph\Application Data\Thunderbird\Profiles\69kj33tw.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Steph\Desktop\Matts Files\Thunderbird\Profiles\matts profile\Mail\Local Folders\Inbox Infected: Email-Worm.Win32.Zhelatin.h 6
C:\Documents and Settings\Steph\Desktop\Matts Files\Thunderbird\Profiles\matts profile\Mail\Local Folders\Inbox Infected: Email-Worm.Win32.Zhelatin.k 1
C:\Documents and Settings\Steph\Desktop\Matts Files\Thunderbird\Profiles\matts profile\Mail\Local Folders\Inbox Infected: Email-Worm.Win32.Zhelatin.m 4
C:\Documents and Settings\Steph\Desktop\Matts Files\Thunderbird\Profiles\matts profile\Mail\Local Folders\Inbox Infected: Email-Worm.Win32.Zhelatin.o 3

The selected area was scanned.

[Ried]

Hello matt_pete,

Nothing horrible here, just some infected emails in your Thunderbird inbox. Unfortunately the scan doesn't tell us which ones, so I would empty the entire Inbox.

How is the system behaving?

[red_machine]

Ried,
Would these infected emails have an attachment, or not necessarily? My wife would rather not delete all of the emails if she doesn't have to, but she'll get over it if that's what we need to do.

[Ried]

Not necessarily. The infected e-mail could be anything--even something one of her friends forwarded. Let's see if Panda can see them, and if it will be more specific.

Perform an online scan with Panda ActiveScan

* Turn off the real time scanner of any existing antivirus program while performing the online scan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log in your next reply.

[red_machine]

panda log

[Ried]

Hello red_machine,

As you can see,(if you look very closely), Panda disinfected quite a lot of those infected e-mails, but also left some.

Quote:

C:\Documents and Settings\Steph\Desktop\Matts Files\Thunderbird\Profiles\matts profile\Mail\Local Folders\Inbox [flash postcard.exe]

As I've never had infected e-mails, and I don't use Thunderbird, I can't say if the name in brackets [ ] is actually the name of the e-mail. It seems unlikely as there are so many of them.

What we do know is that the infected e-mails are in the Junk folder and the Inbox Folder.

Simply empty the Junk Folder.

The bracketed names in the Inbox folder, boil down to these:

[flash postcard.exe]
[Full Clip.exe]
[Full Story.exe]
[Full Video.exe]
[greeting card.exe]
[Greeting Postcard.exe]
[postcard.exe]
[Read More.exe]

See if there are any e-mails with that name - perhaps do a search of your system and see if anything turns up.

Let me know...

[red_machine]

I think those must be the names of the attachments...I'll do a bit of digging.

[Ried]

That's what I'm thinking, now that you mention it. Thanks, it would be helpful to know.

[red_machine]

All that junk was in OLD, and I mean OLD files - emails from 3 or 4 years ago from when I reformatted my computer 2-3x ago...I saved all the "important" files onto this computer and never thought anything of it.
Anyway, every cookie and everything linked to those old files is gone. The only thing I can't find is the very last thing on that list. Something about system volume information - tied to the smit fraud fix garbage.

[Ried]

No worries, System Volume Information is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache with the uninstall of ComboFix.


If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u


Shall we consider this machine resolved as well?