Computer transmitting unsolicited emails?

[Kirbett]

I have been trying to help a friend in Australia (I'm in the UK) whose computer may have been infected. We have received two unsolicited emails so far apparently from her. Each email has a suspiciously simple Subject (e.g. "Hello" or "Hi"), has been addressed to a small number of email addresses apparently randomly selected from and correlated with her address book, and has contained a link to a web page which I imagine has been hacked and infected with a Java exploit.

The computer is running Windows XP, and has Microsoft Security Essentials installed. An MSE scan reported no problems. A Quick Scan by MBAM reported no problems. A full scan by MBAM reported some PUPs referencing two products - FunWebProducts and MyWebSearch. These PUPs have been quarantined, but one of the unsolicited emails appears to have been transmitted after the quarantining.

I have not yet been able to prove unequivocally that it is this computer that is infected, but it seems highly likely. I'd welcome any advice. DDS output and an MBAN Full Scan log taken AFTER the quarantining follow.

As an aside, a product, ARO 2012, was unintentionally installed at the same time as Malwarebytes Anti-Malware, as discussed in another thread. http://forums.malwar...howtopic=122127 . I have asked the user not to uninstall this or anything else just yet.

POSTSCRIPT:

I have since had my attention drawn to this article http://www.digitaltr...oo-mail-exploit . Although not a regular user of Yahoo Mail, the user does have a Yahoo Mail account. Am I right in thinking that this exploit only mass mails at the time it is accessed, does NOT infect the user's machine, and would NOT leave any trace of its activity? Is it possible to confirm if the links contained in her emails contain this particular (or another) exploit? The links are ...

**** WARNING **** LINKS MENTIONED HERE MAY BE INFECTED ****

www DOT broedrenekilli DOT com/components/com_content/id8767571.php

and lightbox DOT sk/icmie.php

**** WARNING **** LINKS MENTIONED HERE MAY BE INFECTED ****

Thanks for any assistance ...

----------------------------------------- dds.txt ----------------------------------------------------------------------------------------------------

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702

Run by Administrator at 21:44:06 on 2013-02-06

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3575.2791 [GMT 11:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ================

.

C:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\PDF Complete\pdfsvc.exe

C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HP\POS_Keyboard\KeyMan\KeyMan.exe

C:\Program Files\HP\POS_Keyboard\CDI\cdimsrclient.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\HP\POS_Keyboard\CDI\cdi.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe

C:\Program Files\Ask.com\Updater\Updater.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Emoticons Mail\emomail.exe

C:\Program Files\Jessops\Picture Suite\InsDetect.exe

C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\WINDOWS\system32\msfeedssync.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com.au/

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\prxConduitEngine.dll

BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.391.0\BingExt.dll

BHO: Support.com Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Support.com Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\prxConduitEngine.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -

TB: Support.com Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Emoticons Mail] c:\program files\emoticons mail\emomail.exe

uRun: [Jessops Insert Detect] c:\program files\jessops\picture suite\InsDetect.exe

uRun: [AROReminder] c:\program files\aro 2012\ARO.exe -rem

mRun: [CherryKeyMan] "c:\program files\hp\pos_keyboard\keyman\KeyMan.exe"

mRun: [CDIMSRClient] "c:\program files\hp\pos_keyboard\cdi\cdimsrclient.exe"

mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe

mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe

mRun: [Recguard] c:\windows\sminst\Recguard.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [scheduler] c:\windows\sminst\Scheduler.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe

mRun: [brStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun

mRun: [MediaFace Integration] c:\program files\fellowes\mediaface 4.0\SetHook.exe

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1345345090593

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: NameServer = 192.168.0.1

TCP: Interfaces\{91C8E974-071C-4472-B3BE-FAF6E0744B33} : NameServer = 203.123.94.40,203.24.100.125

TCP: Interfaces\{91C8E974-071C-4472-B3BE-FAF6E0744B33} : DHCPNameServer = 192.168.0.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 193552]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-3 398184]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-3 682344]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-10-23 576024]

R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-11-22 3290304]

R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]

R3 Ch2kPS2;Cherry PS/2 Keyboard Driver (CDI);c:\windows\system32\drivers\Ch2kPS2.sys [2007-6-27 130560]

R3 Cherry Device Interface;Cherry Device Interface;c:\program files\hp\pos_keyboard\cdi\cdi.exe [2008-6-5 585774]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-3 21104]

S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-11-9 160944]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 POSPerformanceCounters;Point Of Service Performance Counters;c:\program files\microsoft point of service\Microsoft.PointOfService.Service.exe [2008-3-1 42056]

.

=============== File Associations ===============

.

ShellExec: pdfvista.exe: Open="c:\program files\pdf complete\pdfvista.exe"

ShellExec: pdfvista.exe: Read="c:\program files\pdf complete\pdfvista.exe"

.

=============== Created Last 30 ================

.

2013-02-06 06:38:40 6991832 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{339fa404-470b-4dc8-9e6f-e75f3d11d140}\mpengine.dll

2013-02-05 04:26:14 6991832 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2013-02-03 04:21:51 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

2013-02-03 04:21:35 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2013-02-03 04:21:31 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-02-03 04:21:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-02-03 04:09:22 -------- d-----w- c:\program files\Ask.com

2013-02-03 04:09:20 -------- d-----w- c:\documents and settings\administrator\local settings\application data\AskToolbar

2013-02-03 04:06:53 -------- d-----w- c:\documents and settings\administrator\application data\Sammsoft

2013-02-03 04:06:50 -------- d-----w- c:\documents and settings\all users\application data\Ask

2013-02-03 04:06:37 -------- d-----w- c:\program files\ARO 2012

2013-02-02 06:23:25 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2013-02-02 06:23:25 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2013-02-02 06:23:25 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2013-02-02 06:23:25 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2013-02-02 06:23:25 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2013-02-02 06:23:25 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2013-02-02 06:23:25 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2013-01-24 23:47:03 -------- d-----w- c:\program files\Tli

.

==================== Find3M ====================

.

2013-01-30 10:53:21 232336 ------w- c:\windows\system32\MpSigStub.exe

2013-01-09 06:23:13 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-01-09 06:23:13 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 21:44:52.59 ===============

----------------------------------------- attach.txt ------------------------------------------------------------------------------------------------

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 3/08/2010 12:45:54 PM

System Uptime: 6/02/2013 3:56:35 PM (6 hours ago)

.

Motherboard: Hewlett-Packard | | 0A80h

Processor: Intel® Pentium® Dual CPU E2160 @ 1.80GHz | XU1 PROCESSOR | 1795/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 137 GiB total, 69.735 GiB free.

D: is CDROM (CDFS)

E: is FIXED (NTFS) - 12 GiB total, 7.909 GiB free.

F: is FIXED (NTFS) - 466 GiB total, 405.392 GiB free.

G: is Removable

H: is Removable

I: is Removable

K: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}

Description: PS/2 Compatible Mouse

Device ID: ACPI\PNP0F13\4&DE53A73&0

Manufacturer: Microsoft

Name: PS/2 Compatible Mouse

PNP Device ID: ACPI\PNP0F13\4&DE53A73&0

Service: i8042prt

.

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}

Description: Cherry PS/2 Keyboard Driver for CDI

Device ID: ACPI\PNP0303\4&DE53A73&0

Manufacturer: Cherry GmbH

Name: Cherry PS/2 Keyboard Driver for CDI

PNP Device ID: ACPI\PNP0303\4&DE53A73&0

Service: i8042prt

.

==== System Restore Points ===================

.

RP746: 9/11/2012 7:32:56 PM - Software Distribution Service 3.0

RP747: 10/11/2012 8:32:14 PM - Software Distribution Service 3.0

RP748: 12/11/2012 3:52:49 PM - Software Distribution Service 3.0

RP749: 13/11/2012 7:43:23 PM - Software Distribution Service 3.0

RP750: 14/11/2012 10:14:07 PM - Software Distribution Service 3.0

RP751: 16/11/2012 10:33:27 AM - System Checkpoint

RP752: 16/11/2012 10:40:36 AM - Software Distribution Service 3.0

RP753: 16/11/2012 3:05:35 PM - Software Distribution Service 3.0

RP754: 16/11/2012 10:27:08 PM - Software Distribution Service 3.0

RP755: 17/11/2012 3:09:36 PM - Software Distribution Service 3.0

RP756: 18/11/2012 4:19:25 PM - Software Distribution Service 3.0

RP757: 19/11/2012 2:58:50 PM - Software Distribution Service 3.0

RP758: 20/11/2012 3:38:04 PM - Software Distribution Service 3.0

RP759: 21/11/2012 6:39:08 PM - Software Distribution Service 3.0

RP760: 22/11/2012 7:09:31 PM - Software Distribution Service 3.0

RP761: 23/11/2012 8:52:29 PM - Software Distribution Service 3.0

RP762: 24/11/2012 9:28:59 PM - Software Distribution Service 3.0

RP763: 25/11/2012 10:19:30 PM - Software Distribution Service 3.0

RP764: 27/11/2012 9:24:15 AM - Software Distribution Service 3.0

RP765: 28/11/2012 1:02:52 PM - Software Distribution Service 3.0

RP766: 29/11/2012 1:27:46 PM - System Checkpoint

RP767: 29/11/2012 4:02:24 PM - Software Distribution Service 3.0

RP768: 30/11/2012 5:10:41 PM - Software Distribution Service 3.0

RP769: 1/12/2012 5:36:06 PM - Software Distribution Service 3.0

RP770: 2/12/2012 6:38:55 PM - Software Distribution Service 3.0

RP771: 3/12/2012 3:22:01 PM - Software Distribution Service 3.0

RP772: 4/12/2012 5:09:44 PM - System Checkpoint

RP773: 4/12/2012 6:02:29 PM - Software Distribution Service 3.0

RP774: 5/12/2012 6:03:54 PM - System Checkpoint

RP775: 5/12/2012 7:06:32 PM - Software Distribution Service 3.0

RP776: 6/12/2012 9:37:35 PM - System Checkpoint

RP777: 7/12/2012 8:52:28 AM - Software Distribution Service 3.0

RP778: 8/12/2012 11:02:42 AM - Software Distribution Service 3.0

RP779: 9/12/2012 12:43:29 PM - Software Distribution Service 3.0

RP780: 10/12/2012 3:03:59 PM - Software Distribution Service 3.0

RP781: 11/12/2012 3:59:27 PM - Software Distribution Service 3.0

RP782: 12/12/2012 5:24:02 PM - Software Distribution Service 3.0

RP783: 13/12/2012 3:03:36 PM - Software Distribution Service 3.0

RP784: 13/12/2012 6:17:42 PM - Software Distribution Service 3.0

RP785: 14/12/2012 7:15:52 PM - Software Distribution Service 3.0

RP786: 15/12/2012 7:43:13 PM - Software Distribution Service 3.0

RP787: 16/12/2012 10:01:53 PM - Software Distribution Service 3.0

RP788: 17/12/2012 10:17:41 PM - Software Distribution Service 3.0

RP789: 19/12/2012 9:18:04 AM - Software Distribution Service 3.0

RP790: 20/12/2012 9:26:41 AM - Software Distribution Service 3.0

RP791: 21/12/2012 9:34:06 AM - Software Distribution Service 3.0

RP792: 21/12/2012 9:21:39 PM - Software Distribution Service 3.0

RP793: 22/12/2012 9:43:38 AM - Software Distribution Service 3.0

RP794: 23/12/2012 10:11:00 AM - Software Distribution Service 3.0

RP795: 24/12/2012 11:54:22 AM - System Checkpoint

RP796: 24/12/2012 5:00:03 PM - Software Distribution Service 3.0

RP797: 26/12/2012 10:28:29 AM - Software Distribution Service 3.0

RP798: 27/12/2012 11:57:24 AM - Software Distribution Service 3.0

RP799: 28/12/2012 3:20:18 PM - Software Distribution Service 3.0

RP800: 29/12/2012 3:54:57 PM - Software Distribution Service 3.0

RP801: 30/12/2012 4:01:30 PM - Software Distribution Service 3.0

RP802: 31/12/2012 2:42:50 PM - Software Distribution Service 3.0

RP803: 1/01/2013 3:48:03 PM - Software Distribution Service 3.0

RP804: 2/01/2013 4:09:24 PM - Software Distribution Service 3.0

RP805: 3/01/2013 6:09:41 PM - Software Distribution Service 3.0

RP806: 4/01/2013 10:14:00 PM - Software Distribution Service 3.0

RP807: 4/01/2013 11:15:51 PM - Software Distribution Service 3.0

RP808: 5/01/2013 11:36:26 PM - Software Distribution Service 3.0

RP809: 7/01/2013 10:21:55 AM - Software Distribution Service 3.0

RP810: 8/01/2013 1:01:59 PM - Software Distribution Service 3.0

RP811: 9/01/2013 4:54:04 PM - Software Distribution Service 3.0

RP812: 9/01/2013 10:17:15 PM - Software Distribution Service 3.0

RP813: 10/01/2013 6:53:33 PM - Software Distribution Service 3.0

RP814: 12/01/2013 7:15:37 AM - Software Distribution Service 3.0

RP815: 13/01/2013 10:27:53 AM - Software Distribution Service 3.0

RP816: 14/01/2013 2:47:59 PM - Software Distribution Service 3.0

RP817: 15/01/2013 5:06:02 PM - Software Distribution Service 3.0

RP818: 15/01/2013 10:36:56 PM - Software Distribution Service 3.0

RP819: 16/01/2013 8:32:45 PM - Software Distribution Service 3.0

RP820: 17/01/2013 9:18:38 PM - System Checkpoint

RP821: 18/01/2013 9:53:27 AM - Software Distribution Service 3.0

RP822: 19/01/2013 2:09:01 PM - System Checkpoint

RP823: 20/01/2013 10:12:40 AM - Software Distribution Service 3.0

RP824: 21/01/2013 10:36:08 AM - System Checkpoint

RP825: 22/01/2013 9:26:30 AM - Software Distribution Service 3.0

RP826: 23/01/2013 10:19:07 AM - Software Distribution Service 3.0

RP827: 24/01/2013 12:07:45 PM - System Checkpoint

RP828: 24/01/2013 2:51:47 PM - Software Distribution Service 3.0

RP829: 25/01/2013 5:17:09 PM - Software Distribution Service 3.0

RP830: 26/01/2013 6:18:11 PM - Software Distribution Service 3.0

RP831: 27/01/2013 8:44:28 PM - Software Distribution Service 3.0

RP832: 28/01/2013 3:30:41 PM - Software Distribution Service 3.0

RP833: 29/01/2013 3:33:49 PM - System Checkpoint

RP834: 29/01/2013 6:55:52 PM - Software Distribution Service 3.0

RP835: 30/01/2013 7:19:42 PM - Software Distribution Service 3.0

RP836: 31/01/2013 9:13:31 PM - Software Distribution Service 3.0

RP837: 1/02/2013 9:33:59 PM - Software Distribution Service 3.0

RP838: 3/02/2013 9:22:35 AM - Software Distribution Service 3.0

RP839: 3/02/2013 3:06:37 PM - ARO 2012 - Before Installation

RP840: 3/02/2013 3:07:02 PM - ARO 2012 - FIRST RUN

RP841: 4/02/2013 1:24:35 PM - Software Distribution Service 3.0

RP842: 5/02/2013 3:26:02 PM - Software Distribution Service 3.0

RP843: 6/02/2013 5:38:29 PM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

7-Zip 4.65

A+ German

ABBYY FineReader 6.0 Sprint

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Photoshop Elements

Adobe Shockwave Player 11.5

Adobe SVG Viewer

Apple Application Support

Apple Software Update

ArcSoft MediaImpression

ARO 2012

Ask Toolbar

Bing Bar

Broadcom Management Programs

Brother HL-3040CN

Camera Support Core Library

Canon Camera Access Library

Canon Camera Support Core Library

Canon DIGITAL CAMERA Solution Disk Software Guide

Canon MOV Decoder

Canon MOV Encoder

Canon MovieEdit Task for ZoomBrowser EX

Canon PhotoRecord

Canon PowerShot ELPH 300 HS_IXUS 220 HS Camera User Guide

Canon RAW Image Task for ZoomBrowser EX

Canon RemoteCapture Task for ZoomBrowser EX

Canon Utilities CameraWindow DC 8

Canon Utilities CameraWindow Launcher

Canon Utilities Movie Uploader for YouTube

Canon Utilities MyCamera

Canon Utilities PhotoStitch

Canon Utilities ZoomBrowser EX

Canon ZoomBrowser EX Memory Card Utility

Compatibility Pack for the 2007 Office system

Conduit Engine

Configuration Tools for the HP USB POS Keyboard V5.3

DVD Shrink 3.2

Emoticons Mail 3.2

Epson Copy Utility 3.4

Epson Event Manager

EPSON PERFECTION V30_V300 PHOTO Manual

EPSON Scan

Family Tree Maker

Family Tree Maker 2012

Free DVD Decrypter version 1.5

German Grammar Made Easy

GOM Player

Google Earth

Google Update Helper

High Definition Audio Driver Package - KB888111

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB2756822)

Hotfix for Windows XP (KB2779562)

Hotfix for Windows XP (KB952117-v2)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB981793)

HP Backup and Recovery Manager

hp deskjet 3820 series

HP Help and Support

HP Pole Display Test

HP Sample App

HP USB Barcode Scanner

HP USB Mini MSR OPOS Driver

IMAPSize 0.3.7

Intel® Graphics Media Accelerator Driver

InterVideo Register Manager

InterVideo WinDVD

Java™ 6 Update 7

Jessops Picture Suite

LeapFrog Connect

LeapFrog My Pals Plugin

Malwarebytes Anti-Malware version 1.70.0.1100

MediaFACE 4.01

MediaFACE 4.01 Image Library

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2698023)

Microsoft .NET Framework 1.1 Security Update (KB2742597)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office File Validation Add-In

Microsoft Office Professional Edition 2003

Microsoft POS for .NET 1.12

Microsoft Security Client

Microsoft Security Essentials

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Mozilla Thunderbird (3.1.20)

MPEG2 Codec(libmpeg2/mad)

MSXML 6 Service Pack 2 (KB973686)

Nero OEM

Nero Suite

NewFreeScreensaver nfsCollections034

Office Translator 8.0

OGA Notifier 2.0.0048.0

OPOS Common Control Objects 1.11.000

OPOS for HP Line Display

OPOS Support for Hewlett-Packard printers

OPOS Support for HP POS Keyboard

ParLoc2

PDF Complete

Photo Story 3 for Windows

QuickTime

RAW Image Task 1.1

RealSpeak Text To Speech engine (American English)

RealSpeak Text To Speech engine (French)

RealSpeak Text To Speech engine (German)

RealSpeak Text To Speech engine (Italian)

RealSpeak Text To Speech engine (Spanish)

Realtek High Definition Audio Driver

RemoteCapture Task 1.0.3

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2736428)

Security Update for Microsoft .NET Framework 4 Extended (KB2742595)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB2183461)

Security Update for Windows Internet Explorer 7 (KB2360131)

Security Update for Windows Internet Explorer 7 (KB2416400)

Security Update for Windows Internet Explorer 7 (KB2482017)

Security Update for Windows Internet Explorer 7 (KB2497640)

Security Update for Windows Internet Explorer 7 (KB2530548)

Security Update for Windows Internet Explorer 7 (KB2544521)

Security Update for Windows Internet Explorer 7 (KB2559049)

Security Update for Windows Internet Explorer 7 (KB2586448)

Security Update for Windows Internet Explorer 7 (KB2618444)

Security Update for Windows Internet Explorer 7 (KB2647516)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB2675157)

Security Update for Windows Internet Explorer 8 (KB2699988)

Security Update for Windows Internet Explorer 8 (KB2722913)

Security Update for Windows Internet Explorer 8 (KB2744842)

Security Update for Windows Internet Explorer 8 (KB2761465)

Security Update for Windows Internet Explorer 8 (KB2799329)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Encoder (KB2447961)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2621440)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2641653)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2647518)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2685939)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2695962)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219)

Security Update for Windows XP (KB2707511)

Security Update for Windows XP (KB2709162)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2718523)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135)

Security Update for Windows XP (KB2724197)

Security Update for Windows XP (KB2727528)

Security Update for Windows XP (KB2731847)

Security Update for Windows XP (KB2753842-v2)

Security Update for Windows XP (KB2753842)

Security Update for Windows XP (KB2757638)

Security Update for Windows XP (KB2758857)

Security Update for Windows XP (KB2761226)

Security Update for Windows XP (KB2770660)

Security Update for Windows XP (KB2779030)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982381)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Skype Click to Call

Skype™ 6.0

Support.com Toolbar Updater

Uninstall 1.0.0.1

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB2598845)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2616676-v2)

Update for Windows XP (KB2641690)

Update for Windows XP (KB2661254-v2)

Update for Windows XP (KB2718704)

Update for Windows XP (KB2736233)

Update for Windows XP (KB2749655)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin)

WebFldrs XP

Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)

Windows Genuine Advantage Notifications (KB905474)

Windows Imaging Component

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Encoder 9 Series

Windows Media Format 11 runtime

Windows Media Player 11

Windows Presentation Foundation

Windows XP Service Pack 3

XML Paper Specification Shared Components Pack 1.0

.

==== Event Viewer Messages From Past Week ========

.

4/02/2013 10:42:22 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.143.1423.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9103.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

3/02/2013 5:12:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt iaStor

1/02/2013 9:03:44 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt

1/02/2013 9:03:17 AM, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 000FFEEFDE55 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

.

==== End Of File ===========================

----------------------------------------- attach.txt ------------------------------------------------------------------------------------------------

Malwarebytes Anti-Malware (Trial) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.02.03.02

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Administrator :: ROBYN2 [administrator]

Protection: Enabled

3/02/2013 3:34:37 PM

mbam-log-2013-02-03 (15-34-37).txt

Scan type: Full scan (C:\|E:\|F:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 335524

Time elapsed: 1 hour(s), 13 minute(s), 25 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 3

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\FunWebProducts (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 3

C:\Program Files\FunWebProducts (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\FunWebProducts\Installr (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\FunWebProducts\Installr\2.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Files Detected: 4

C:\Documents and Settings\Administrator\My Documents\Desktop\PopularScreenSavers.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.

C:\Program Files\FunWebProducts\Installr\2.bin\F3EZSETP.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

C:\Program Files\FunWebProducts\Installr\2.bin\F3PLUGIN.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

C:\Program Files\FunWebProducts\Installr\2.bin\NPFUNWEB.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

(end)

--------------------------------------------------------------------------------------------------------------------------------------

[TheDarkKnight]

I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear.

Please uninstall ARO2012 via the Control Panel.

=====

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

[Kirbett]

Thanks for the reply. I'm forwarding your instructions onto the end-user, but have advised her first to bring her Data Backups up-to-date (don't ask). She is enrolling the help of her family in that respect, so, together with the time-zone delays, it might be a couple of days before she can proceed with running ComboFix.

In the meantime, I observe your note about restarting the computer in the event of an "Illegal operation attempted on a registry key" message. After such a restart, would it just be a matter of reexecuting ComboFix.exe?

[Maurice Naggar]

<kibbitz>

No, no, you do not re-run Combofix ! IF you got that message, you would only Logoff and Restart the system fresh. That should clear that message out.

HTH. I now ask that you return to regular programming.

</kibbitz>

[Kirbett]

ARO 2012 uninstalled. Backups done. C:\ComboFix.txt contents follow ...

-----------------------------------------------------------------------------------------------------------------------------------

ComboFix 13-02-07.02 - Administrator 10/02/2013 20:20:12.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3575.2742 [GMT 11:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Application Data\PriceGong

c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml

c:\documents and settings\Administrator\My Documents\~WRD0628.tmp

c:\documents and settings\Administrator\My Documents\~WRL1299.tmp

c:\documents and settings\Administrator\My Documents\~WRL1591.tmp

c:\documents and settings\Administrator\My Documents\~WRL2019.tmp

c:\documents and settings\Administrator\Recent\Thumbs.db

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk

c:\windows\EventSystem.log

c:\windows\system32\SET2E.tmp

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

E:\Autorun.inf

F:\AUTORUN.INF

G:\autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2013-01-10 to 2013-02-10 )))))))))))))))))))))))))))))))

.

.

2013-02-10 08:01 . 2013-01-08 04:57 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA55B502-6780-440A-9386-F5B7458F8837}\mpengine.dll

2013-02-10 03:16 . 2013-02-10 03:17 -------- d-----w- c:\windows\system32\NtmsData

2013-02-08 08:27 . 2013-01-08 04:57 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-02-08 05:51 . 2013-02-08 06:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Deployment

2013-02-03 04:21 . 2013-02-03 04:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2013-02-03 04:21 . 2013-02-03 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2013-02-03 04:21 . 2013-02-03 04:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-02-03 04:21 . 2012-12-14 05:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-02-03 04:09 . 2013-02-03 04:10 -------- d-----w- c:\program files\Ask.com

2013-02-03 04:09 . 2013-02-10 02:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar

2013-02-03 04:06 . 2013-02-03 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Ask

2013-02-02 06:23 . 2013-02-02 06:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll

2013-02-02 06:23 . 2013-02-02 06:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll

2013-02-02 06:23 . 2013-02-02 06:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll

2013-02-02 06:23 . 2013-02-02 06:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll

2013-02-02 06:23 . 2013-02-02 06:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll

2013-02-02 06:23 . 2013-02-02 06:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll

2013-02-02 06:23 . 2013-02-02 06:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll

2013-02-02 06:22 . 2013-02-02 06:23 -------- d-----w- c:\program files\QuickTime

2013-02-02 06:22 . 2013-02-02 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2013-01-24 23:47 . 2013-01-24 23:47 -------- d-----w- c:\program files\Tli

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-08 04:23 . 2012-03-31 00:13 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-02-08 04:23 . 2011-07-03 01:07 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-01-30 10:53 . 2010-10-08 08:16 232336 ------w- c:\windows\system32\MpSigStub.exe

2012-12-16 12:23 . 2006-02-28 10:00 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-11-13 01:25 . 2006-02-28 10:00 1866368 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-12-19 1528096]

.

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Emoticons Mail"="c:\program files\Emoticons Mail\emomail.exe" [2005-10-19 876602]

"Jessops Insert Detect"="c:\program files\Jessops\Picture Suite\InsDetect.exe" [2003-02-17 262144]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CherryKeyMan"="c:\program files\HP\POS_Keyboard\KeyMan\KeyMan.exe" [2008-05-14 237620]

"CDIMSRClient"="c:\program files\HP\POS_Keyboard\CDI\cdimsrclient.exe" [2007-08-23 53303]

"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]

"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]

"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]

"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]

"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]

"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-05-19 3618104]

"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2004-07-01 53248]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2012-09-28 298376]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-24 421888]

"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-12-19 1645856]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SMINST\\Scheduler.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

.

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [3/02/2013 3:21 PM 398184]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/02/2013 3:21 PM 682344]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [23/10/2009 7:56 AM 576024]

R3 Ch2kPS2;Cherry PS/2 Keyboard Driver (CDI);c:\windows\system32\drivers\Ch2kPS2.sys [27/06/2007 8:38 AM 130560]

R3 Cherry Device Interface;Cherry Device Interface;c:\program files\HP\POS_Keyboard\CDI\cdi.exe [5/06/2008 9:57 AM 585774]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/02/2013 3:21 PM 21104]

S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [22/11/2012 10:29 AM 3290304]

S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [9/11/2012 11:21 AM 160944]

S4 POSPerformanceCounters;Point Of Service Performance Counters;c:\program files\Microsoft Point Of Service\Microsoft.PointOfService.Service.exe [1/03/2008 12:25 PM 42056]

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-02-08 06:50 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-10 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 04:23]

.

2013-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 06:57]

.

2013-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-08 23:08]

.

2013-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-08 23:08]

.

2013-02-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job

- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 07:25]

.

2013-02-10 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2012-12-19 11:50]

.

2013-02-10 c:\windows\Tasks\User_Feed_Synchronization-{9D4CD219-07A1-490B-86F6-FD062C635623}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 17:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.au/

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{91C8E974-071C-4472-B3BE-FAF6E0744B33}: NameServer = 203.123.94.40,203.24.100.125

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-02-10 20:26

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]

"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3041122359-1985549835-978781098-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9f,0e,a2,8d,4f,68,9e,46,be,f2,63,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9f,0e,a2,8d,4f,68,9e,46,be,f2,63,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(728)

c:\windows\system32\igfxdev.dll

.

Completion time: 2013-02-10 20:28:16

ComboFix-quarantined-files.txt 2013-02-10 09:28

.

Pre-Run: 74,720,002,048 bytes free

Post-Run: 79,368,192,000 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 72CD7EB4487F17796E1C2505E05BA6AB

[TheDarkKnight]

Good evening Kirbett,

You have the Ask Toolbar (AskBarDis) installed. I strongly recommend you remove the Ask Toolbar from your computer because:

• It promotes its toolbars on sites targeted at kids.
  
• It promotes its toolbars through ads that appear to be part of other companies' sites.
  
• It promotes its toolbars through other companies' spyware.
  
• It is installed without any disclosure whatsoever and without any consent from the user whatsoever.
  
• It solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  
• It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.
  

You also have Conduit installed, which is often present when there are other infections. In addition, it is known to act suspiciously. I strongly recommend removing it.

Please go to Start>Control Panel>Programs and uninstall the following programs (if present):

• AskBarDis
  
• Conduit
  
• Conduit Engine
  

Please restart your computer after these program removals.

=====

Next, please download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  
• Click on Search.
  
• A logfile will automatically open after the scan has finished.
  
• Please post the content of that logfile in your reply.
  
• You can find the logfile at C:\AdwCleaner[R1].txt as well.

=====

Finally, please download Malwarebytes Anti-Rootkit here.

• Unzip the contents to a folder on the Desktop.
  
• Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Please post the two logs produced.

Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

=====

In your reply please provide the following:

• AdwCleaner[R1].txt.
  
• Both MBAR logs.

How is the computer currently running?

[Kirbett]

DarkKnight,

Thanks for the response. I have a couple of questions.

1. I have read of problems that have arisen after trying to uninstall Conduit and ConduitEngine. Is it usually the case that just using Add/Remove Programs is sufficent to effectively remove these programs?

2. I note the disclaimer and warnings associated with MBAR, and these give me cause to hesitate, and, I suspect, may cause the end-user to balk. I am not sure if the end-user understands how to unzip files, and almost certainly she will not know how to recover from any mishap in the MBAR process.

As I explained in my first post, I had not been able to prove

firmly

that the end-user's computer was infected and/or the source of the emails. There is some suggestion that unsolicited emails are still continuing to circulate amongst her contacts, but now not necessarily from her machine. (I am seeking clarification of this). Otherwise, her computer seems to be running correctly. Is there any evidence of an infection in the logs that we have forwarded to you so far? I really would like to be able to establish whether this is the case before advising her to seek local / family assistance.

P.S. Would I be right to infer from the "Good Evening" that you might actually be located time-zone-wise closer to Australia than I am?

[TheDarkKnight]

Hello Kirbett,

1. I have read of problems that have arisen after trying to uninstall Conduit and ConduitEngine. Is it usually the case that just using Add/Remove Programs is sufficent to effectively remove these programs?

This should be sufficient. If not, some of the tools I will have you run will be able to deal with the leftovers.

I note the disclaimer and warnings associated with MBAR, and these give me cause to hesitate, and, I suspect, may cause the end-user to balk. I am not sure if the end-user understands how to unzip files, and almost certainly she will not know how to recover from any mishap in the MBAR process.

OK we can try a couple of other tools, but it my take longer.

Is there any evidence of an infection in the logs that we have forwarded to you so far? I really would like to be able to establish whether this is the case before advising her to seek local / family assistance.

I can't see anything so far; these tools should be able to shed more light.

Would I be right to infer from the "Good Evening" that you might actually be located time-zone-wise closer to Australia than I am?

I can do one better than that; I am from Australia .

OK. Instead of MBAR please run this tool instead.

Please download to your Desktop:

• TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

• Click Change parameters.
  
• Make sure you check the box Loaded modules.
  
• A window will popup and say Reboot is required. Please click Reboot now.
  
• Then click Change parameters again. Check the box Detect TDLFS file system.
  
• Click on the Start Scan button.
  
• If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• If you are asked to reboot the computer to complete the process, click on the Reboot Now button.
  
• Once the tool has finished, please click Report. Please copy and paste the contents of that log in your reply.
  Note: A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt).

[Kirbett]

Ok,

Ask ToolBar program removed (apparently entry in Add/Remove Programs listing was something along the lines of Support - Ask Tools ...).

Conduit programs removed (just one entry in Add/Remove Programs listing).

AdwCleaner downloaded and run, report follows (I note traces of Ask / Conduit in the report).

TDSSKiller downloaded and run as instructed, report attached (too long for posting inline).

----- AdwCleaner[R1].txt ----------------------------------------------------------------------------------------------------------------------

# AdwCleaner v2.112 - Logfile created 02/12/2013 at 21:24:42

# Updated 10/02/2013 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Administrator - ROBYN2

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner0.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

File Found : C:\WINDOWS\system32\conduitEngine.tmp

Folder Found : C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit

Folder Found : C:\Documents and Settings\All Users\Application Data\Ask

***** [Registry] *****

Key Found : HKCU\Software\APN PIP

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}

Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine

Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2269050

Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2642697

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}

Key Found : HKLM\Software\PIP

Key Found : HKU\S-1-5-21-3041122359-1985549835-978781098-500\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v24.0.1312.57

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2071 octets] - [12/02/2013 21:24:42]

########## EOF - C:\AdwCleaner[R1].txt - [2131 octets] ##########

TDSSKiller.2.8.16.0_12.02.2013_21.49.21_log.txt

[TheDarkKnight]

Good morning Kirbett,

AdwCleaner downloaded and run, report follows (I note traces of Ask / Conduit in the report).

Yes, this is very common.

Please do the following to re-run AdwCleaner:

• Please close all open programs and internet browsers.
  
• Double click on adwcleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with OK.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
  
• Please post the content of that logfile in your reply.
  
• You can find the logfile at C:\AdwCleaner[s1].txt as well.
  Note: If you get a message that you must reboot the computer before starting deletion, please do. At reboot, only AdwCleaner will run and you can only click on the Delete button.
  When the deletion is done, AdwCleaner will reboot the computer again and open the logfile.

=====

TDSSKiller came back clean.

Please download the Kaspersky Virus Removal Tool from here to your Desktop.

Double-click the Removal Tool.

Click the cog in the upper right corner:

Select down to and including your main drive.

Once done please select the Automatic Scan tab and press Start Scan.

Allow AVP to delete all infections found.

Once it has finished select the Report tab.

Select the Detected threats report from the left and press the Save button.

Save it to your Desktop and post the contents in your next reply.

=====

Please provide the reports from AdwCleaner and Kaspersky.

[Kirbett]

Evening DarkKnight,

AdwCleaner rerun ... report follows.

Unable to download Kaspersky Virus Removal Tool at the moment - download fails with "404 Not Found .... The requested resource was not found." Will retry tomorrow unless you advise otherwise.

----- AdwCleaner[s1].txt ----------------------------------------------------------------------------------------------------------------------

# AdwCleaner v2.112 - Logfile created 02/13/2013 at 21:07:46

# Updated 10/02/2013 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Administrator - ROBYN2

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner0.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\WINDOWS\system32\conduitEngine.tmp

Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Ask

***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2269050

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2642697

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}

Key Deleted : HKLM\Software\PIP

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v24.0.1312.57

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2200 octets] - [12/02/2013 21:24:42]

AdwCleaner[s1].txt - [2012 octets] - [13/02/2013 21:07:46]

########## EOF - C:\AdwCleaner[s1].txt - [2072 octets] ##########

[TheDarkKnight]

Hello Kirbett,

Please try downloading now. That was just temporary I think.

[Kirbett]

Morning DarkKnight,

Well, running Kaspersky VRT was apparently rather ... eventful ...

Relevant Context

End-user has in the past used Thunderbird for emails

End-user is now using MS Outlook (don't know reason for switch)

I believe at least some of the Thunderbird emails were migrated to Outlook

Old Thunderbird email folders have been retained and seem to reside on both C: and F: partitions

Prologue

First, I should note that I hadn't thought to suggest to the end-user that she check the status of and temporarily disable MS Windows Updates ... so ...

* End-user started KVRT. Initial progress appeared to be clean, and then the user went afk. On return, the user found that KVRT had apparently terminated (completely) while afk, therefore cause unknown

* System Rebooted - intent was to restart KVRT with regular monitoring of progress

- whereupon MS Windows Update automatically kicked-in during shutdown (maybe this had interfered with the KVRT scan?)

- end-user prematurely powered-off computer, trying to halt the update

- on power-on, machine appeared to fail to reboot

- on 2nd power-on, machine rebooted successfully, up and running normally

The Main Event - Episode 1

* Restarted KVRT, and left to run overnight

* In morning, KVRT found halted, with virus reported on "C-disk - Email-Worm.Win32.Luder.a" apparently in an executable in a "Happy New Year" email sent in 2006 (precise file location not recorded - see below)

* Disinfection not allowed, so Delete selected

* Resumed KVRT

* MS Windows Update popped up again, stating intending to reboot computer

* End-user attempted to change Windows Update option to "Ask me before you reboot"

* While then afk, system nevertheless rebooted

* So scan terminated by reboot, and NO REPORT available for details of removed virus. Do not know whether this was from current Outlook or superceded Thunderbird files

The Main Event - Episode 2

* Restarted KVRT

* Ran through to completion, with nothing to detect (so again NO REPORT)

The Main Event - Episode 3

* End-user decided to restart KVRT "but this time I found a button that allowed it to do a full high level security scan. The last ones were only on 50%. Thought it would be good to do the 100% (suitable for most users, it said)". I presume this means the Security level: High setting.

* Started Scan. Threats detected ... all seemed to be Email-Worm.Win32.Luder.a, stemming from an email received through Thunderbird in 2006

* Delete Archive selected when prompted (we believe these were all superceded mail archives)

* KVRT finally completed, with 13 threats detected, and 869710 objects scanned.

* Finally able to save a report (appended).

Epilogue

Report suggests 8 instances of Email-Worm.Win32.Luder.a detected and deleted, and 5 vulnerabilities.

Am I right in thinking that these infections were likely to be all unactivated and in files no longer referenced, on the basis that 1) there was no indication from KVRT of active infections being removed, from systems files, registry, or such-like, (albeit the first 2 KVRT scans terminated prematurely while afk), 2) no previous scan (MSE, MBAM, etc) detected the infections, and 3) there have been no reports of emails being transmitted from this computer in the format adopted by this virus?

------ Detected threats report from Kaspersky Virus Removal Tool ---------------------------------

Status: Deleted (events: 8)

15/02/2013 3:27:48 PM Deleted virus Email-Worm.Win32.Luder.a C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\42vwyw8v.default\Local Folders-1\Inbox High

15/02/2013 3:27:48 PM Deleted virus Email-Worm.Win32.Luder.a C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\42vwyw8v.default\Local Folders-1\Inbox//[From James S. Bullock <lauga@staib-sz.bmw-net.de>][Date 9 Dec 2006 16:02:25][subj Happy New Year!]/postcard.exe High

15/02/2013 10:09:52 PM Deleted virus Email-Worm.Win32.Luder.a F:\Mail\Local Folders-1\Inbox//[From James S. Bullock <lauga@staib-sz.bmw-net.de>][Date 9 Dec 2006 16:02:25][subj Happy New Year!]/postcard.exe High

15/02/2013 9:59:10 PM Deleted virus Email-Worm.Win32.Luder.a F:\Mail\To Outlook\Inbox\Happy New Year!_442_20101024_111113_718.eml//[From James S. Bullock <lauga@staib-sz.bmw-net.de>][Date 9 Dec 2006 16:02:25][subj Happy New Year!]/postcard.exe High

15/02/2013 10:13:56 PM Deleted virus Email-Worm.Win32.Luder.a F:\mail2\Mail\Local Folders-1\Inbox//[From James S. Bullock <lauga@staib-sz.bmw-net.de>][Date 9 Dec 2006 16:02:25][subj Happy New Year!]/postcard.exe High

15/02/2013 9:59:10 PM Deleted virus Email-Worm.Win32.Luder.a F:\Mail\To Outlook\Inbox\Happy New Year!_442_20101024_111113_718.eml High

15/02/2013 10:09:52 PM Deleted virus Email-Worm.Win32.Luder.a F:\Mail\Local Folders-1\Inbox High

15/02/2013 10:13:56 PM Deleted virus Email-Worm.Win32.Luder.a F:\mail2\Mail\Local Folders-1\Inbox High

Status: Vulnerability (events: 5)

15/02/2013 3:13:28 PM Vulnerability vulnerability http://www.securelis...dvisories/43267 C:\Documents and Settings\All Users\Application Data\{484395D8-1F9B-4C71-9DA9-A64CBD0E8DE2}\Family Tree Maker 2012 - Files\87708AEE\8AF3A878\Tutorial_PC.exe Low

15/02/2013 3:30:55 PM Vulnerability vulnerability http://www.securelis...dvisories/47009 C:\Program Files\GRETECH\GomPlayer\GOM.exe Low

15/02/2013 3:31:58 PM Vulnerability vulnerability http://www.securelis...dvisories/50949 C:\Program Files\Java\jre1.6.0_07\bin\java.exe Low

15/02/2013 4:09:26 PM Vulnerability vulnerability http://www.securelis...dvisories/51090 C:\WINDOWS\system32\Adobe\Shockwave 11\SwInit.exe Low

15/02/2013 4:13:30 PM Vulnerability vulnerability http://www.securelis...dvisories/47009 c:\Program Files\GRETECH\GomPlayer\GOM.exe Low

[TheDarkKnight]

Good morning Kirbett,

I'm afraid I have bad news about your computer.

Your log shows a dangerous worm was residing on your computer with a backdoor functionality. It is possible that a remote attacker has already breached your computer.

For more information on this worm, please see here.

Please consider disconnecting this computer from the Internet after you finish reading this and use a known clean computer to follow my suggestions regarding your personal information.

If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the worm has been identified and can be removed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of worm, the best course of action would be a reformat and reinstall of the Operating System.

Please visit the following sites for more information on internet theft and when to reformat!

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I will of course do my best to help clean the computer of any infections that I can see if you would like to continue.

If you have any questions before making a final decision, please feel free to ask.

Instructions on how to format and reinstall Windows can be found here

=====

Now, it is possible that this worm has been dealt with, and no lasting damage has been carried out.

Please run a free online scan with the ESET Online Scanner.

Note: You can use Internet Explorer or Mozilla Firefox for this scan.

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start.
  
• When asked, allow the ActiveX control to install.
  
• Click Start.
  
• Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  
• Click Scan.
  Wait for the scan to finish.
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  
• Copy and paste that log as a reply to this topic.
  

Are there any current issues on the computer?

[Kirbett]

Morning DarkKnight,

Thanks very much for your support in assessing the status of this system. I understand, from the history of the system(s) concerned, that the detected virus was originally received, probably in 2006, on an earlier computer running Windows/98. We cannot recall if the virus was opened or activated at that time. Subsequently (in 2010), the end-user switched to a new computer system pre-installed with Windows/XP. I understand that the old data files (email files, documents, etc) were manually transferred by removable media to the new system after having been scanned by Malwarebytes (!). Since then, we believe that no attempt has been made to open the infected files.

I acknowledge that, nevertheless, there is a risk of infection of the new system having arisen via the removable media used to transfer the data files. That said, given that there has been no trace found yet of subsequent active infection by this particular virus, and given that the original symptoms on this thread do not seem to correlate with what may be expected of this virus, the end-user has decided to continue running with her current system, taking whatever steps are necessary to sanitise it, short of reinstalling. She will, nevertheless, continue to consider the option of reformatting/reinstallation.

She has run the ESET software as you requested. This has detected no errors, and the report is appended below.

There are three current issues with the computer. The end-user does not recall these issues arising prior to the installation of a new monitor about a year ago, although to me they all sound unrelated.

1) Toolbox icons for Adobe Photoshop Elements appear in silhouette (solid black on white), which should not be the case. The software is the original release of Photoshop (i.e. Version 1). I suspect either a corrupted or lost preferences file (apparently not uncommon in Photoshop) which may be resolved by reinstallation, or an incompatibility arising from the use of this legacy software on Windows/XP.

2) Rich text colour in emails (whether they are being received or composed) displays in black in Outlook 2003. Hyperlink colouring and other rich text controls (Bold, Italic, Underline, Font, etc) display correctly. The end-user can compose coloured text but sees only black text, although recipients will see the text correctly coloured. A web search suggests a number of similar (but not identical) issues with Outlook 2003 in this area. This is as yet unresolved.

3) A specific Excel spreadsheet prints incorrectly, with an unwanted grey overlay of some form. This is as yet to be explored.

-------------------------------------------------------------------------------------------------------------------------------------

ESETSmartInstaller@High as downloader log:

all ok

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=ec7d439090de624eb45410fc90e715fe

# engine=13175

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2013-02-17 12:17:43

# local_time=2013-02-17 11:17:43 (+1000, AUS Eastern Daylight Time)

# country="Australia"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5892 16777213 88 94 392905 25746529 0 0

# scanned=114836

# found=0

# cleaned=0

# scan_time=3738

[TheDarkKnight]

Hello Kirbett,

Those issues aside for a moment, all seems well at the moment.

Please download Security Check by screen317 from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[Kirbett]

Evening DarkKnight,

Output from SecurityCheck appended. It seems the Java needs to be updated. I should note that,

1) Although Thunderbird is out-of-date, it is no longer used.

2) Malwarebytes Anti-Malware is a now-expired trial version, which was installed with MBAM Free at the start of this thread.

Also, I have discovered that issue 3) that I mentioned in my last post is not an issue with printing an MS Excel spreadsheet, but with printing an MS Access database report. The end-user is going to seek local Access expertise for help with sorting that out.

------------------------------------------------------------------------------------------------------------------------------------------------------------

Results of screen317's Security Check version 0.99.58

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Please wait while WMIC is being installed.d

i

s

p

l

a

y

N

a

m

e

ECHO is off.

M

i

c

r

o

s

o

f

t

ECHO is off.

S

e

c

u

r

i

t

y

ECHO is off.

E

s

e

n

t

i

a

l

s

ECHO is off.

M

i

c

r

o

s

o

f

t

ECHO is off.

S

e

c

u

r

i

t

y

ECHO is off.

E

s

e

n

t

i

a

l

s

ECHO is off.

Antivirus up to date! (On Access scanning disabled!)

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

Java™ 6 Update 7

Java version out of Date!

Adobe Flash Player 11.5.502.149

Mozilla Thunderbird (3.1.20) Thunderbird out of Date!

Google Chrome 24.0.1312.57

````````Process Check: objlist.exe by Laurent````````

Microsoft Security Essentials MSMpEng.exe

Microsoft Security Essentials msseces.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 3%

````````````````````End of Log``````````````````````

[TheDarkKnight]

Good evening Kirbett,

Although Thunderbird is out-of-date, it is no longer used.

You should still update it, because having out-of-date software is a security risk.

Malwarebytes Anti-Malware is a now-expired trial version, which was installed with MBAM Free at the start of this thread.

That's fine. MBAM in its free version is very effective; it only lacks the resident protection really.

====

Your version of Java is out of date. It's important to remove older versions of Java since it does not do so automatically and older versions can leave you vulnerable.

Please follow the instructions below to update Java:

• Please go to the below link and download the latest Windows XP version:
  

http://www.java.com/en/download/manual.jsp

• Save it to your Desktop.
  
• Please go to Start > Control Panel > Add Or Remove Programs.
  
• Navigate to any versions of Java (J2SE Runtime Environment) you have installed. They will have this icon next to them:
  
• Select Remove.
  
• Please double-click the installer and follow the prompts to install the latest version once all the previous versions have been successfully removed.

And please update Mozilla Thunderbird.

=====

Please let me know how the updates go.

[Kirbett]

Evening DarkKnight,

* Java 6 Update 7 removed, no other versions present.

* Java 7 Update 13 (offline version) downloaded, installed, and Java verification test run successfully.

* Mozilla Thunderbird removed. Up-to-date version to be downloaded and installed if and when required.

[TheDarkKnight]

Good evening Kirbett,

A little housekeeping to uninstall ComboFix:

Please click Start>Run and copy/paste the following text, including the space between "ComboFix and "/uninstall", into the Run box and click OK:

ComboFix /uninstall

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

And AdwCleaner:

• Please double click on adwcleaner.exe to run the tool.
  
• Click on Uninstall.
  
• Confirm with Yes.

Right-click the Recycle Bin and please select Empty Recycle Bin.

=====

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:

IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and runningthe following program; it has a free version:

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

A software firewall will help increase your computer security. Free versions are available for the below firewalls:

• COMODO
  
• Online Armor
  
• Outpost

Please visit this tutorial for further information on firewalls.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.

Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.

Please also read Tony Klein's excellent article: How did I get infected in the first place.

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

[Kirbett]

Ok, DarkKnight,

ComboFix and AdwCleaner have been uninstalled and the end-user is taking on board the advice in your response (as am I). Am I right to conclude that IF the unsolicited emails mentioned at the start of this thread originated from her computer, then they did so in a manner which left no trace (that we could see) of infection on her machine after the event, and that this might have been the result if her Yahoo account had been briefly compromised (before she changed her password)? I'm assuming (for the time being) that they were unrelated to the virus payload found in the old emails.

I take it then that this is the end of the analysis. On that basis, the end-user is really pleased to have had her computer checked out this thoroughly, and has been delighted (and impressed) with the clarity of your guidance. We've both become much more aware of the risks of infection, and of the steps we can take to minimise those risks. And she's specifically asked me to tell you how grateful she is to have had your support.

Now I move on to trying to help her with a couple of her other issues mentioned above. I have no reason to believe these to be malware related, and have an idea of what may be behind the Outlook 2003 problem, so will take them up with another support site ... starting with answers.microsoft.com ... wish me luck!

[TheDarkKnight]

Good evening Kirbett,

Am I right to conclude that IF the unsolicited emails mentioned at the start of this thread originated from her computer, then they did so in a manner which left no trace (that we could see) of infection on her machine after the event, and that this might have been the result if her Yahoo account had been briefly compromised (before she changed her password)? I'm assuming (for the time being) that they were unrelated to the virus payload found in the old emails.

Yes, or they may have been removed by one of the tools.

I take it then that this is the end of the analysis. On that basis, the end-user is really pleased to have had her computer checked out this thoroughly, and has been delighted (and impressed) with the clarity of your guidance. We've both become much more aware of the risks of infection, and of the steps we can take to minimise those risks. And she's specifically asked me to tell you how grateful she is to have had your support.

You and the owner are most welcome. I am glad I could be of assistance.

Now I move on to trying to help her with a couple of her other issues mentioned above. I have no reason to believe these to be malware related, and have an idea of what may be behind the Outlook 2003 problem, so will take them up with another support site ... starting with answers.microsoft.com ... wish me luck!

Fingers crossed!

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!