[SOLVED] Infected with HTML/Infected.WebPage.Gen HTML script virus

[wolski888]

Hi
As my title suggests my bro's laptop has this annoying infection.
I have Avira like my logs will say and the infection seems to be in a firefox profile. (Can I reinstall Firefox to fix my problem?)
I use Firefox but my brother IE 8 (and so IE is default).
At random times and when connected to Internet, a popup appears with usually
a scanner showing you its scanning your computer or ad for bad, virulent AV software. I know it's bad so I click
the X button in corner and it will go for a variable amount of time.
Avira btw cannot get rid of it and in fact does not even find it after scanning with maximum options.
This also happens sometimes much rare tho: A message appears telling I have an infected computer and wants me to press OK and scan using IE. I click X and once it opened IE with scanning screen. I click X ASAP.

One more issue: Firefox sometimes will say "Firefox has stopped working.."
and that it will close. Right away a balloon pops up in tray telling me the browser was closed to protect me from Data Execution Prevention.

Avira sometimes at random times pops up saying Virus or unwanted program was found, right? It asks me what to do with this file.
Move to quarantine
Delete
Overwrite and delete
Rename
Deny access
Ignore

I usually picked delete or deny access
It found the virus in this file:
C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\jfyfitzg.default\Cache\34F11269d01

I understand I have Limewire. My brother uses it sometimes for music.
I know your policy of P2P software. If you can make an exception, cool.
However, just ask and I will remove it.

Logs are posted. I have Vista but the logs tell you that anyways.
Any other info, just ask.
Thank you so much and I will pray for you.
Here is the DDS log:








DDS (Ver_09-07-30.01) - NTFSx86
Run by Piotrek at 15:32:50.34 on 17/08/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.1982.1109 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\UAService7.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Oxigen\bin\Oxigen.exe
C:\Program Files\Oxigen\bin\OxiTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\vsnp2uvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Piotrek\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://uoguelph.ca/
uSearch Bar = Preserve
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWin.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [AdobeBridge]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [OxigenClientAdmin] "c:\program files\oxigen\bin\Oxigen.exe"
mRun: [OxigenTrayIcon] c:\program files\oxigen\bin\OxiTray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {047C3241-279D-438A-BC34-9AD1C1910FC0} - hxxp://www.mathcentre.ac.uk/resources/tests/activex/DrsDnldProj1.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\windows\system32\certenrollui32.dll,c:\windows\system32\divx_xx0732.dll,c:\windows\system32\commdlg32.dll,c:\windows\system32\divx_xx0c32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\piotrek\appdata\roaming\mozilla\firefox\profiles\jfyfitzg.default\
FF - prefs.js: browser.startup.homepage - www.pcfinancial.ca
FF - component: c:\users\piotrek\appdata\roaming\mozilla\firefox\profiles\jfyfitzg.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\users\piotrek\appdata\roaming\mozilla\firefox\profiles\jfyfitzg.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\piotrek\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2009-4-21 97608]
R2 AntiVirFirewallService;Avira Firewall;c:\program files\avira\antivir desktop\avfwsvc.exe [2009-4-21 388865]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2009-4-21 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-21 108289]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2009-4-21 434945]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2009-4-21 69632]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-12-3 33752]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
S3 ST50220;Sonix ST50220 USB Video Camera Driver;c:\windows\system32\drivers\ST50220.sys [2009-6-18 26752]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-08-13 23:20 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-13 23:20 218,624 a------- c:\windows\system32\msv1_0.dll
2009-08-13 23:20 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-13 23:20 270,848 a------- c:\windows\system32\schannel.dll
2009-08-13 23:20 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-08-13 23:20 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-13 23:20 72,704 a------- c:\windows\system32\secur32.dll
2009-08-13 23:20 9,728 a------- c:\windows\system32\lsass.exe
2009-08-12 17:59 71,680 a------- c:\windows\system32\atl.dll
2009-08-12 17:59 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-12 17:59 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-12 17:59 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-12 17:59 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-12 17:59 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-12 17:59 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-12 17:59 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-12 17:59 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-12 17:59 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-12 17:59 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-08 10:24 120,320 a------- c:\windows\system32\divx_xx0c32.dll
2009-08-08 10:24 120,320 a------- c:\windows\system32\COMMDLG32.dll
2009-08-08 10:23 120,320 a------- c:\windows\system32\divx_xx0732.dll
2009-08-08 10:23 120,320 a------- c:\windows\system32\CertEnrollUI32.dll
2009-08-08 10:23 1,372 a------- c:\windows\system32\LF1nPsmSb0IphsZ.vbs
2009-08-03 13:23 <DIR> --d----- c:\program files\Conduit
2009-08-03 13:23 <DIR> --d----- c:\program files\iWin
2009-08-03 13:23 <DIR> --d----- c:\programdata\iWin Games
2009-08-03 13:23 <DIR> --d----- c:\progra~2\iWin Games
2009-07-26 20:32 <DIR> --d----- c:\users\piotrek\appdata\roaming\BitTorrent
2009-07-19 20:06 613 a------- c:\windows\eReg.dat
2009-07-18 19:36 289,552 a------- c:\windows\system32\temp.003
2009-07-18 19:36 28,672 a------- c:\windows\system32\temp.002
2009-07-18 15:55 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-08-16 20:00 13,119 a------- c:\users\piotrek\appdata\roaming\nvModes.dat
2009-08-05 09:27 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-05 09:27 51,200 a------- c:\windows\inf\infpub.dat
2009-08-05 09:26 143,360 a------- c:\windows\inf\infstor.dat
2009-08-05 07:53 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-05 06:54 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-15 11:29 48,273 a------- c:\windows\system32\nianchoojiugggkwc.exe
2009-06-21 09:04 34 a------- c:\users\piotrek\jagex_runescape_preferences.dat
2009-06-19 17:57 54,916 a------- c:\programdata\nvModes.dat
2009-06-19 17:57 54,916 a------- c:\progra~2\nvModes.dat
2009-06-15 10:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 10:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 10:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 10:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-08 16:10 56 a---h--- c:\programdata\ezsidmv.dat
2009-06-08 16:10 56 a---h--- c:\progra~2\ezsidmv.dat
2009-06-01 22:16 665,600 a------- c:\windows\inf\drvindex.dat
2009-04-30 19:51 10,970 a------- c:\users\piotrek\graffpity.zip
2009-04-02 20:50 97,456 a------- c:\users\piotrek\appdata\roaming\GDIPFONTCACHEV1.DAT
2009-02-06 17:31 53,248 a------- c:\users\piotrek\lametritonus_en.dll
2009-02-06 17:31 162,304 a------- c:\users\piotrek\lame_enc_en.dll
2008-11-14 01:21 192 a------- c:\users\piotrek\appdata\roaming\wklnhst.dat
2008-09-30 22:50 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 15:35:23.78 ===============

[wolski888]

Bump, please

[wolski888]

Bump please

[Ried]

Hello wolski888,

Quote:

It found the virus in this file:
C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\jfyfitzg.default\Cache\34F11269d01

The infection is only being reported in FireFox cache. Have you tried clearing the cache yet? Launch Firefox>Tools>Clear Private Data and ensure cache is checked.

Let me know if that helped, or if you are still getting alerts.


===============================

As a side note, uninstall IWinToolbar via the Add or Remove programs. See the write up here

===============================

Perform an online scan with Panda ActiveScan

* Turn off the real time scanner of any existing antivirus program while performing the online scan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log in your next reply.

[wolski888]

Hi Ried,

Thanks for your reply.
I did Clear Recent History (Firefox 3.5 is a bit different)
Cache was checked but this did not fix the issue.
I would like to say my Google search is infected as well
It gives results to porn sites and just bad sites in general
and clicking on a good site in the results will redirect to a website with the word "biz" in the URL

I uninstalled Iwin successfully

I just finished an exhaustive Monday morning scan with Panda
It was very useful. logs attached.
One before my disinfection and one after.
Hope you dont mind

Would like to point out that my brother without my knowledge switched
from Avira to McAfee (i know its worst but Avira got him here in the first place which is why I understand him.........I miss ESET (sigh))

Thanks again for helping

[Ried]

Did you show your brother the results? Highlight the P2P worm entries for him.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

====================================================


Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.

Open McAfee Security Centre

• Under Common Tasks click on Home
• Click Computer Files
• Click Configure
• Make sure the following are disabled by ticking the "Off" button.
  

  Virus protection
  Spyware protection
  System Guards Protection
  Script Scanning Protection (you may have to scroll down to see it)

• Next, select never for "When to re-enable real time scanning"
• and click OK.

====================================================


Double click on combofix.exe & follow the prompts.

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

[wolski888]

Haha Ill make sure I do that

I ran ComboFix (finally!!) successfully
No more Google redirects after the Panda scan btw
Looking good after that scan

But CF seemed to do much
Here is the log Thanks again for helping me

ComboFix 09-08-24.04 - Piotrek 24/08/2009 15:42.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.1982.1056 [GMT -4:00]
Running from: c:\users\Piotrek\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-470251150-81701795-3010873047-500
c:\$recycle.bin\S-1-5-21-849490170-988921149-3139013046-500
c:\users\Guest\AppData\Roaming\020000007c5f5211654C.manifest
c:\users\Guest\AppData\Roaming\020000007c5f5211654O.manifest
c:\users\Guest\AppData\Roaming\020000007c5f5211654P.manifest
c:\users\Guest\AppData\Roaming\020000007c5f5211654S.manifest
c:\users\Piotrek\AppData\Roaming\020000007c5f5211654C.manifest
c:\users\Piotrek\AppData\Roaming\020000007c5f5211654O.manifest
c:\users\Piotrek\AppData\Roaming\020000007c5f5211654P.manifest
c:\users\Piotrek\AppData\Roaming\020000007c5f5211654S.manifest
c:\windows\Installer\e93840.msi
c:\windows\system32\LF1nPsmSb0IphsZ.vbs
c:\windows\system32\nianchoojiugggkwc.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.

2009-08-24 19:53 . 2009-08-24 19:53 -------- d-----w- c:\users\Piotrek\AppData\Local\temp
2009-08-24 19:53 . 2009-08-24 19:53 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-08-24 19:53 . 2009-08-24 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-24 19:16 . 2009-08-24 19:16 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-24 11:32 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-24 11:31 . 2009-08-24 11:31 -------- d-----w- c:\program files\Panda Security
2009-08-21 18:48 . 2009-08-21 18:48 -------- d-----w- c:\users\Guest\AppData\Local\QuickPlay
2009-08-21 03:54 . 2009-07-07 02:44 103424 ----a-w- c:\users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\lx70qbhh.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-08-21 03:54 . 2009-07-07 02:44 937984 ----a-w- c:\users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\lx70qbhh.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-08-21 03:54 . 2009-07-07 02:44 65536 ----a-w- c:\users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\lx70qbhh.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-08-21 03:54 . 2009-07-07 02:44 106496 ----a-w- c:\users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\lx70qbhh.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-08-21 03:54 . 2009-07-07 02:44 4722688 ----a-w- c:\users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\lx70qbhh.default\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-08-21 03:54 . 2009-07-07 02:44 344064 ----a-w- c:\users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\lx70qbhh.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-08-20 20:36 . 2009-08-21 04:01 -------- d-----w- c:\users\Piotrek\AppData\Local\QuickPlay
2009-08-20 20:04 . 2009-08-20 20:04 -------- d-----w- c:\programdata\SiteAdvisor
2009-08-20 20:02 . 2009-07-08 17:44 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-08-20 20:02 . 2009-07-08 17:44 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-08-20 20:02 . 2009-07-08 17:44 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-08-20 20:02 . 2009-07-16 16:32 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-08-20 20:01 . 2009-08-20 20:02 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-20 20:01 . 2009-08-20 20:01 -------- d-----w- c:\program files\McAfee.com
2009-08-20 20:01 . 2009-08-22 01:37 -------- d-----w- c:\program files\McAfee
2009-08-20 19:58 . 2009-07-08 17:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-08-20 19:56 . 2009-08-20 23:02 -------- d-----w- c:\programdata\McAfee
2009-08-20 19:06 . 2009-08-20 19:06 -------- d-----w- c:\users\Guest\AppData\Roaming\Hewlett-Packard
2009-08-20 19:06 . 2009-08-20 19:06 -------- d-----w- c:\users\Guest\AppData\Local\Hewlett-Packard
2009-08-20 19:05 . 2009-08-20 19:05 101352 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-18 17:30 . 2003-01-26 17:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2009-08-18 17:30 . 2009-08-18 17:56 -------- d-----w- c:\program files\DVD Flick
2009-08-14 03:20 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-14 03:20 . 2009-06-15 14:53 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-14 03:20 . 2009-06-15 14:54 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-14 03:20 . 2009-06-15 14:53 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-14 03:20 . 2009-06-15 14:52 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-14 03:20 . 2009-06-15 23:15 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-14 03:20 . 2009-06-15 14:53 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-14 03:20 . 2009-06-15 12:48 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-12 21:59 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 21:59 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 21:59 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-12 21:59 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-12 21:59 . 2009-07-15 12:39 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 21:59 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 21:59 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-12 21:59 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-08 13:19 . 2009-08-08 13:18 38208 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-08-03 17:23 . 2009-08-03 17:28 -------- d-----w- c:\programdata\iWin Games
2009-08-03 17:23 . 2009-07-09 20:20 46128 ----a-w- c:\programdata\iWin Games\firefox\iWinArcadeLauncher.exe
2009-07-27 00:32 . 2009-07-27 13:42 -------- d-----w- c:\users\Piotrek\AppData\Roaming\BitTorrent
2009-07-26 20:44 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-24 19:18 . 2008-09-30 00:12 -------- d-----w- c:\program files\Windows Live
2009-08-24 19:15 . 2009-01-19 18:36 -------- d-----w- c:\program files\Microsoft
2009-08-24 03:52 . 2008-10-01 02:01 13119 ----a-w- c:\users\Piotrek\AppData\Roaming\nvModes.dat
2009-08-22 14:11 . 2009-06-08 20:06 -------- d-----w- c:\users\Piotrek\AppData\Roaming\Skype
2009-08-22 14:10 . 2009-06-08 20:10 -------- d-----w- c:\users\Piotrek\AppData\Roaming\skypePM
2009-08-20 20:30 . 2007-05-31 08:51 -------- d-----w- c:\program files\Hp
2009-08-20 20:29 . 2007-05-31 08:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-20 19:34 . 2009-04-21 19:57 -------- d-----w- c:\programdata\Avira
2009-08-18 05:17 . 2009-06-03 16:38 -------- d-----w- c:\program files\Tunatic
2009-08-17 23:59 . 2008-12-15 01:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-14 03:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-12 15:03 . 2007-05-31 09:17 -------- d-----w- c:\programdata\Microsoft Help
2009-08-08 13:19 . 2009-04-25 01:46 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-08 13:18 . 2009-08-20 19:04 38208 ----a-w- c:\users\Guest\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-08-08 13:18 . 2009-02-20 17:11 38208 ----a-w- c:\users\Piotrek\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-08-06 16:53 . 2008-11-05 02:46 -------- d-----w- c:\program files\Sony
2009-08-05 11:51 . 2009-07-15 15:16 -------- d-----r- c:\program files\Skype
2009-08-05 10:54 . 2009-04-21 19:57 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-02 18:06 . 2008-11-06 01:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-29 22:04 . 2009-06-30 11:59 36864 ----a-w- c:\programdata\TEMP\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe
2009-07-21 21:52 . 2009-07-28 22:22 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-28 22:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-28 22:22 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-28 22:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-20 00:06 . 2009-07-20 00:06 613 ----a-w- c:\windows\eReg.dat
2009-07-20 00:06 . 2008-10-05 01:52 -------- d-----w- c:\program files\EA GAMES
2009-07-18 23:36 . 2009-07-18 13:36 -------- d-----w- c:\program files\SureThing
2009-07-18 23:36 . 2007-05-31 09:01 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-07-18 16:40 . 2009-07-18 16:40 -------- d-----w- c:\program files\Total War
2009-07-18 13:40 . 2008-09-29 23:56 101352 ----a-w- c:\users\Piotrek\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-18 13:32 . 2009-07-18 13:32 -------- d-----w- c:\programdata\LightScribe
2009-07-18 13:28 . 2009-07-18 13:28 -------- d-----w- c:\program files\Common Files\LightScribe
2009-07-16 17:06 . 2008-12-28 06:02 -------- d-----w- c:\users\Piotrek\AppData\Roaming\dvdcss
2009-07-15 15:16 . 2009-07-15 15:16 -------- d-----w- c:\program files\Common Files\Skype
2009-07-15 15:16 . 2009-06-08 20:05 -------- d-----w- c:\programdata\Skype
2009-07-15 15:11 . 2008-10-05 14:45 -------- d-----w- c:\program files\DivX
2009-07-15 15:10 . 2009-06-21 01:06 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-10 16:15 . 2009-07-10 16:15 306544 ----a-w- c:\windows\WLXPGSS.SCR
2009-07-08 17:44 . 2009-07-08 17:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 00:05 . 2009-07-04 14:11 -------- d-----w- c:\program files\Unity
2009-07-05 13:18 . 2009-07-05 13:18 -------- d-----w- c:\program files\MTTrials
2009-07-05 13:15 . 2009-07-04 19:49 -------- d-----w- c:\program files\Funny Creatures
2009-07-02 20:57 . 2009-04-01 01:27 -------- d-----w- c:\program files\Moviestorm Release
2009-07-02 17:33 . 2007-05-31 09:22 -------- d-----w- c:\programdata\CyberLink
2009-06-30 23:19 . 2009-07-02 12:01 106496 ----a-w- c:\users\Piotrek\AppData\Roaming\Mozilla\Plugins\npcoolirisplugin.dll
2009-06-30 19:36 . 2009-08-20 20:22 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryReplaceNew.exe
2009-06-30 19:10 . 2009-08-20 20:22 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryNoTravel.exe
2009-06-30 19:03 . 2009-08-20 20:22 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryAccessories.exe
2009-06-30 16:44 . 2009-08-20 20:22 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryWeakNew.exe
2009-06-30 13:39 . 2008-09-30 03:41 -------- d-----w- c:\users\Piotrek\AppData\Roaming\CyberLink
2009-06-30 12:02 . 2009-06-30 12:01 -------- d-----w- c:\program files\CyberLink
2009-06-26 22:36 . 2009-08-20 20:22 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryUpgrade.exe
2009-06-21 13:04 . 2009-06-21 13:02 34 ----a-w- c:\users\Piotrek\jagex_runescape_preferences.dat
2009-06-19 21:57 . 2009-01-26 18:45 54916 ----a-w- c:\programdata\nvModes.dat
2009-06-18 17:03 . 2008-09-30 02:49 10134 ----a-r- c:\users\Piotrek\AppData\Roaming\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-06-15 14:53 . 2009-07-14 19:26 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:52 . 2009-07-14 19:26 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-07-14 19:26 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-14 19:26 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:42 . 2009-07-14 19:26 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-09 21:16 . 2009-06-09 21:16 3482240 ----a-w- c:\windows\system32\drivers\snp2uvc.sys
2009-06-08 20:10 . 2009-06-08 20:10 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-06-04 11:42 . 2009-06-04 11:42 46372 ----a-r- c:\users\Piotrek\AppData\Roaming\Microsoft\Installer\{F691A1F5-2789-46CE-A45A-57763198D384}\_6FEFF9B68218417F98F549.exe
2009-06-04 11:42 . 2009-06-04 11:42 46372 ----a-r- c:\users\Piotrek\AppData\Roaming\Microsoft\Installer\{F691A1F5-2789-46CE-A45A-57763198D384}\_153C6C76937D50BFAD50F8.exe
2009-06-02 02:16 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"OxigenClientAdmin"="c:\program files\Oxigen\bin\Oxigen.exe" [2007-06-23 887264]
"OxigenTrayIcon"="c:\program files\Oxigen\bin\OxiTray.exe" [2007-06-23 557536]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-28 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-28 7770112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-28 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-17 149280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-19 468264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):f2,f6,ca,5d,29,e3,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E745917A-2408-415A-90AD-012C9ED4CABF}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{DFC29E52-4325-47EB-A3E3-610553E93065}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{748AB940-A937-49CF-B0BE-DDE3197C8C3F}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B33D8B4B-4DF8-4E93-9CF8-80A110094D07}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C6FFCC69-5FEF-42B6-8093-109073549692}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{51134F5C-05F7-485C-A9F7-8C3A7AF53B8B}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{825DD0AB-F15C-4AE4-879F-02D0098A5DBA}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2F81CA3D-A256-4BCF-8C72-A9B4ECE9CD72}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{DA46E603-7919-4B28-A7CA-884C558276EC}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{4A97FF6E-2327-4005-ADA6-2644410F09D6}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{24254C2C-BAE5-40CC-99CF-FB3529765758}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{DE92661A-C410-4F2A-838B-ADD0C92ED45C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{66999EDF-F933-4714-ACE6-7C440F394295}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{A4EC8BB7-8B49-4116-A1FD-BEB79E16AF60}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{54DCF9E1-0F4B-40DF-A931-4666DFA7A572}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{8DECB0C2-0EC5-4E0B-A77B-FBFEC5D0DB02}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{229B9C51-FBE7-4DB2-8ACA-3E3DE76EB24B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{78B0777A-DC28-4512-9F18-4E9C6E309071}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B9250D1B-B335-4ED0-BA35-0F3E610A0A4A}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{A6B9B4E2-2B98-4430-8BA2-D0E81826A869}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{54998E15-8DED-4942-8776-CB4DF658B391}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{DEDE977F-1F65-42A2-A259-804298FD3EF8}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{E0D06BD3-49D1-4136-AB7F-A29CF81E2FF5}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{8131AAEF-13C5-4FE1-9C73-7C31A741E79A}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{FA44DAB5-8E1D-4CA9-9C82-04157331C0DE}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [24/08/2009 7:32 AM 28544]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/08/2009 4:03 PM 210216]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [03/12/2008 7:33 PM 33752]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 10:31 PM 29263712]
S3 ST50220;Sonix ST50220 USB Video Camera Driver;c:\windows\System32\drivers\ST50220.sys [18/06/2009 1:21 PM 26752]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [28/10/2008 5:42 PM 156968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-20 01:26]

2009-08-20 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-20 01:26]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://uoguelph.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://ca.search.yahoo.com/search?fr=mcafee&p=%s
DPF: {047C3241-279D-438A-BC34-9AD1C1910FC0} - hxxp://www.mathcentre.ac.uk/resources/tests/activex/DrsDnldProj1.cab
FF - ProfilePath - c:\users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\lx70qbhh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pcfinancial.ca/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\lx70qbhh.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\lx70qbhh.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\Piotrek\AppData\Roaming\Mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 15:53
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-08-24 15:58
ComboFix-quarantined-files.txt 2009-08-24 19:58

Pre-Run: 44,115,021,824 bytes free
Post-Run: 44,501,184,512 bytes free

333 --- E O F --- 2009-08-20 18:32

[Ried]

Hi wolski888,

All that's left now is to delete this folder:

c:\programdata\iWin Games

======================================

If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

- Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


- Most importantly, have your brother take a few minutes to read these short articles:

Think Prevention
Perils of P2P File Sharing.

-----------------------------------------------------


**Kindly respond one more time and let me know if we may consider this thread resolved.

[wolski888]

Thank you Ried very much
However the ComboFix /u command is not working
Error message that tells me that it cannot find it
Should I manually delete it or something
Thanks for the tips btw

Also the Secunia seems to never work for me
as in I download the link
Succesful installtion but same results in that scanner (problem for another day)
I use FileHippo Update Checker now

Sorry for the hassle with combofix /u
What should I do with that?

Thanks again

[Ried]

Hi wolski888. No, simply deleting it is not enough - it needs to be uninstalled. Do delete the existing ComboFix.exe from the desktop, download a fresh copy from here, then run the command.

Let me know if that was successful.

[wolski888]

I already deleted Combofix.exe after scanning
Is that why it could not find it?

I will download and run the cmd.

[Ried]

Yes, that would do it.

[wolski888]

It was a success (would like to point out that I cannot download from that link so I used
the Link 2 u gave me from forayo or sumtin.com)

I would really like to thank you
I will keep you in my prayers
God bless

Thread Solved (unless you would like to add something)

[Ried]

Thank you, wolski888.

I am concerned that you cannot download from the first link. What happens when you try to?

[wolski888]

I have the download status bar addon for Firefox
It will appear and seems to stall
It will stay at zero basically
Than I just download from Link2
It could be a server problem but I do not know
Thanks for the concern

BTW is the Academy planning to open soon
May I ask a personal question
How did you become so good at helping others through logs?

Thanks once again for your help

[Ried]

Try it with IE and see if the same occurs.

The Academy will not open for another month or two. It takes time, research, testing, experience, then more time, research, and more time, research..

[wolski888]

It worked on IE

Thanks for the tips
I hope this thread is now TRULY solved.

Once again Ried, I thank you very much and will keep you in my prayers!!!