Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Can't uninstall Avira

(In Progress)
(!)

CarpenterMan123's Avatar
CarpenterMan123 CarpenterMan123 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Feb 2009
31-Mar-2012, 01:55 PM #1
Can't uninstall Avira
I recently purchased a Norton security product and before that I had Avira free security. When I was using Avira, I often had trouble starting the computer and often had to perform what I think is called a "hard reset" (sometimes 4 or 5 times). Since getting Norton, that problem seems to have gone away. Before I installed Norton I wanted to uninstall Avira, and all went well until the restart, when again it wouldn't start. Now upon startup, I get a window that says it can't find Avira. I have used Revo uninstaller but it can't find any files to remove. Ive seen some files that belong to Avira but when I try to delete them manually it doesn't work ( I forget the message). I just tried to download Avira again, and it can't remove it original program ( something about can't determine the feature control file.) It suggests a manual uninstall. I've looked at the registry though regedit and see about 19 files that belong to Avira, but can't remove them. Any ideas? Thanks, Steve
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,317 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
31-Mar-2012, 02:49 PM #2
1- Please click HERE to download HijackThis.

2- Run the program.

3- Click on the Main Menu button if not already there.

4- Select Do a system scan and save a logfile.

5- Copy and paste the scan log from Notepad into your next reply. Do not attach it.

6- Do not "Fix" anything unless advised to do so.


For Windows 7 and Vista:

If Windows is denying access to the Hosts file, run HijackThis as Administrator or disable the UAC first.
__________________

• Please read instructions and questions carefully, and reply in a timely manner... Thank you.

• Why don't you just Google it?
• If your problem is solved, please click on the Mark Solved button.
Triple6's Avatar
Triple6   (Rob) Triple6 is offline
Computer Specs
Moderator with 43,204 posts.
 
Join Date: Dec 2002
Location: Canada
Experience: Advanced
31-Mar-2012, 08:29 PM #3
Avira has manual uninstall instructions posted on their website; http://www.avira.com/en/support-for-...etail/kbid/135
CarpenterMan123's Avatar
CarpenterMan123 CarpenterMan123 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Feb 2009
01-Apr-2012, 11:08 AM #4
Here's the info you wanted.Trend Micro HijackThis v2.0.4
Scan saved at 10:05:58 AM, on 4/1/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19190)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Novatel Wireless\Virgin Mobile\MobiLink3.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ZMCQGEM\HijackThis[1].exe
C:\Windows\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tangosearch.com/?useie5=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tangosearch.com/?useie5=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\6.1.2.10\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\6.1.2.10\IPS\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\6.1.2.10\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: (no name) - {3CF54FA8-E831-4F87-94AF-773773422634} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CLMLServer for HP TouchSmart] "C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [oexYGbDoOc3PD8dNTQfpC:\Users\Steve\AppData\Roaming\Oncues] C:\Users\Steve\AppData\Roaming\Microsoft\Windows\fikwfgxw.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MobiLink3] C:\Program Files\Novatel Wireless\Virgin Mobile\MobiLink3.exe
O4 - HKCU\..\Run: [CPN Notifier] C:\Program Files\Cake Poker 2.0\PokerNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe (file missing)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C639031-7573-4D80-B0ED-677E972C2379}: NameServer = 68.28.68.132 68.28.67.132
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\aestsrv.e xe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\6.1.2.10\ccSvcHst.exe
O23 - Service: NitroPDFReaderDriverCreatorReadSpool (NitroReaderDriverReadSpool) - Nitro PDF Software - C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
O23 - Service: NovaCore SDK Service (NvtlService) - Unknown owner - C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\STacSV.ex e
O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
--
End of file - 10831 bytes
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,317 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
01-Apr-2012, 11:32 AM #5
Unfortunately, that computer is infected.

Please click on Report and kindly ask to be moved to the Virus & Other Malware Removal forum. Be sure to provide the appropriate reports in that forum after reading THIS. From there, be patient. The malware removal experts are very busy! You should get an answer within the next 48 hours.
jandttech's Avatar
jandttech jandttech is offline
Account Disabled with 36 posts.
 
Join Date: Oct 2011
01-Apr-2012, 03:06 PM #6
http://www.avira.com/en/support/support_downloads.html this tool will get rid of this software
CarpenterMan123's Avatar
CarpenterMan123 CarpenterMan123 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Feb 2009
02-Apr-2012, 09:35 AM #7
Thanks Phantom I am doing as you suggest. I'm curious; what alerted you to an infection? I'm a rookie so simple is better. Thanks again
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,317 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
02-Apr-2012, 09:41 AM #8
Quote:
Originally Posted by CarpenterMan123 View Post
Thanks Phantom I am doing as you suggest. I'm curious; what alerted you to an infection? I'm a rookie so simple is better. Thanks again
O4 - HKCU\..\Run: [oexYGbDoOc3PD8dNTQfpC:\Users\Steve\AppData\Roaming\Oncues] C:\Users\Steve\AppData\Roaming\Microsoft\Windows\fikwfgxw.exe

Do not try removing that entry alone. It's only the tip of the iceberg. HijackThis shows very little when it comes to malware. The Malware Removal Specialists will guide you through the proper removal process.

Good luck!
CarpenterMan123's Avatar
CarpenterMan123 CarpenterMan123 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Feb 2009
02-Apr-2012, 10:19 AM #9
Thanks again. I won't try anything without direction.
CarpenterMan123's Avatar
CarpenterMan123 CarpenterMan123 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Feb 2009
03-Apr-2012, 09:28 AM #10
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19190 BrowserJavaVersion: 1.6.0_29
Run by Steve at 16:59:04 on 2012-04-01
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2813.1478 [GMT -5:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\STacSV.ex e
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\aestsrv.e xe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton 360\Engine\6.1.2.10\ccSvcHst.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
C:\Program Files\Norton 360\Engine\6.1.2.10\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Novatel Wireless\Virgin Mobile\MobiLink3.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig
uSearch Bar = hxxp://www.tangosearch.com/?useie5=1&q=
mSearch Bar = hxxp://www.tangosearch.com/?useie5=1&q=
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\6.1.2.10\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\6.1.2.10\ips\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\6.1.2.10\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Google Update] "c:\users\steve\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [oexYGbDoOc3PD8dNTQfpc:\users\steve\appdata\roaming\oncues] c:\users\steve\appdata\roaming\microsoft\windows\fikwfgxw.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MobiLink3] c:\program files\novatel wireless\virgin mobile\MobiLink3.exe
uRun: [CPN Notifier] c:\program files\cake poker 2.0\PokerNotifier.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [CLMLServer for HP TouchSmart] "c:\program files\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"
mRun: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon]
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{7C639031-7573-4D80-B0ED-677E972C2379} : NameServer = 68.28.68.132 68.28.67.132
AppInit_DLLs:
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\steve\appdata\roaming\mozilla\firefox\profiles\i94gsoh6.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programdata\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\programdata\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\steve\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - Ext: Wyyo: {0CA8283E-056B-40D7-A343-83C84105CE78} - c:\program files\mozilla firefox\extensions\{0CA8283E-056B-40D7-A343-83C84105CE78}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\programdata\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0601020.00a\symds.sys [2012-3-23 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0601020.00a\symefa.sys [2012-3-23 905336]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\bashdefs\20120317.002\BHDrvx86.sys [2012-3-20 820856]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\n360\0601020.00a\ccsetx86.sys [2012-3-23 132744]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\ipsdefs\20120330.002\IDSvix86.sys [2012-3-31 368248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0601020.00a\ironx86.sys [2012-3-23 149624]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0601020.00a\symtdiv.sys [2012-3-23 345208]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};{55662437-DA8C-40c0-AADA-2C816A897A49};c:\program files\hewlett-packard\media\dvd\000.fcl [2008-9-26 59376]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_805f33de\A EstSrv.exe [2010-11-21 77824]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-22 66616]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-18 19456]
R2 N360;Norton 360;c:\program files\norton 360\engine\6.1.2.10\ccsvchst.exe [2012-3-23 138232]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2010-12-3 196912]
R2 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2009-8-24 82432]
R2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVCapSvc.exe [2008-9-24 296320]
R2 TVSched;TV Task Scheduler (TVTS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVSched.exe [2008-9-24 116096]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-9-4 54784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-3-4 106104]
R3 NWVMModem;Virgin Mobile USB Modem Driver;c:\windows\system32\drivers\nwvmmdm.sys [2009-5-15 174720]
R3 NWVMPort;Virgin Mobile USB Status Port Driver;c:\windows\system32\drivers\nwvmser.sys [2009-5-15 174720]
R3 NWVMPort2;Virgin Mobile USB Status2 Port Driver;c:\windows\system32\drivers\nwvmser2.sys [2009-5-15 174720]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2010-11-21 22072]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-22 136360]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-22 269480]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-21 136176]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-23 193840]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-21 136176]
S3 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-23 365904]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v040 0.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-23 23:21:31 905336 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\symefa.sys
2012-03-23 23:21:31 345208 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\symtdiv.sys
2012-03-23 23:21:31 340088 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\symds.sys
2012-03-23 23:21:31 32888 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\srtspx.sys
2012-03-23 23:21:31 318584 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\symnets.sys
2012-03-23 23:21:30 574584 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\srtsp.sys
2012-03-23 23:21:30 149624 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\ironx86.sys
2012-03-23 23:21:30 132744 ----a-r- c:\windows\system32\drivers\n360\0601020.00a\ccsetx86.sys
2012-03-23 23:21:07 4782 ----a-w- c:\windows\system32\drivers\n360\0601020.00a\symvtcer.dat
2012-03-23 23:21:07 -------- d-----w- c:\windows\system32\drivers\n360\0601020.00A
2012-03-14 10:23:30 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 10:23:27 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 10:23:27 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 10:23:27 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 10:23:27 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 10:23:27 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 10:23:25 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-03-14 10:23:04 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-14 10:23:04 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-13 10:14:13 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2012-03-13 10:14:13 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2012-03-03 15:26:44 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-03-03 15:26:44 -------- d-----w- c:\program files\common files\Symantec Shared
2012-03-03 15:25:12 -------- d-----w- c:\windows\system32\drivers\N360
2012-03-03 15:25:09 -------- d-----w- c:\program files\Norton 360
2012-03-03 15:16:00 -------- d-----w- c:\program files\NortonInstaller
.
==================== Find3M ====================
.
2012-01-27 06:21:24 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 17:00:53.21 ===============



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-02 05:59:18
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9250320AS rev.HP07
Running: cwxqiq4x[1].exe; Driver: C:\Users\Steve\AppData\Local\Temp\ugloypob.sys

---- System - GMER 1.0.15 ----
SSDT 898C9930 ZwAlertResumeThread
SSDT 898C9C70 ZwAlertThread
SSDT 890E91E8 ZwAllocateVirtualMemory
SSDT 89051968 ZwAlpcConnectPort
SSDT 898E5A88 ZwAssignProcessToJobObject
SSDT 8913B510 ZwCreateMutant
SSDT 8DBD7B6E ZwCreateSection
SSDT 898C97A0 ZwCreateSymbolicLinkObject
SSDT 8947B6F0 ZwCreateThread
SSDT 898E5B68 ZwDebugActiveProcess
SSDT 890E93B8 ZwDuplicateObject
SSDT 89681B00 ZwFreeVirtualMemory
SSDT 8913B600 ZwImpersonateAnonymousToken
SSDT 8913B940 ZwImpersonateThread
SSDT 89052F68 ZwLoadDriver
SSDT 89681A00 ZwMapViewOfSection
SSDT 8913B430 ZwOpenEvent
SSDT 890E9598 ZwOpenProcess
SSDT 890E92D8 ZwOpenProcessToken
SSDT 898E5FD0 ZwOpenSection
SSDT 890E94A8 ZwOpenThread
SSDT 898E5998 ZwProtectVirtualMemory
SSDT 898C9D30 ZwResumeThread
SSDT 8DBD7B73 ZwSetContextThread
SSDT 89681830 ZwSetInformationProcess
SSDT 898E5EA8 ZwSetSystemInformation
SSDT 8913B0F0 ZwSuspendProcess
SSDT 890E99F0 ZwSuspendThread
SSDT 8DBD7B0F ZwTerminateProcess
SSDT 890E9D30 ZwTerminateThread
SSDT 89681920 ZwUnmapViewOfSection
SSDT 89681BF0 ZwWriteVirtualMemory
SSDT 898C9890 ZwCreateThreadEx
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 11D 82EAC8A0 8 Bytes [30, 99, 8C, 89, 70, 9C, 8C, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 82EAC8B4 4 Bytes [E8, 91, 0E, 89]
.text ntkrnlpa.exe!KeSetEvent + 13D 82EAC8C0 4 Bytes [68, 19, 05, 89]
.text ntkrnlpa.exe!KeSetEvent + 191 82EAC914 4 Bytes [88, 5A, 8E, 89]
.text ntkrnlpa.exe!KeSetEvent + 1F5 82EAC978 4 Bytes [10, B5, 13, 89]
.text ...
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0xA0605000, 0x23100A, 0xE8000020]
C:\Program Files\Hewlett-Packard\Media\DVD\000.fcl entry point in "" section [0xB2D4241C]
.clc C:\Program Files\Hewlett-Packard\Media\DVD\000.fcl unknown last code section [0xB2D43000, 0x1000, 0xE0000020]
? C:\Users\Steve\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] ntdll.dll!NtMapViewOfSection 77B24994 5 Bytes JMP 0317003A
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] ntdll.dll!NtSetInformationProcess 77B25194 5 Bytes JMP 031700F7
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] kernel32.dll!ReadProcessMemory + 3E 77C41CB3 7 Bytes JMP 031701B0
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] kernel32.dll!WriteProcessMemory + 106 77C41DBE 7 Bytes JMP 031703D2
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] kernel32.dll!CreateIoCompletionPort + 52 77C69DA6 7 Bytes JMP 03170488
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] kernel32.dll!VirtualAllocEx + 54 77C8AF70 7 Bytes JMP 0317031C
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] kernel32.dll!GetProcessHandleCount + 35 77CD5D4F 7 Bytes JMP 03170266
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 6BA49AA5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] USER32.dll!CallNextHookEx 76328E3B 5 Bytes JMP 6BA3D119 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 6B9B4686 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] USER32.dll!CreateWindowExW 76331305 5 Bytes JMP 6BA4DB14 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] USER32.dll!DialogBoxParamW 763510B0 5 Bytes JMP 6B975505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] USER32.dll!DialogBoxIndirectParamW 76352EF5 5 Bytes JMP 6BB453AF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] USER32.dll!DialogBoxParamA 76368152 5 Bytes JMP 6BB4534C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] USER32.dll!DialogBoxIndirectParamA 7636847D 5 Bytes JMP 6BB45412 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] USER32.dll!MessageBoxIndirectA 7637D4D9 5 Bytes JMP 6BB452E1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] USER32.dll!MessageBoxIndirectW 7637D5D3 5 Bytes JMP 6BB45276 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] USER32.dll!MessageBoxExA 7637D639 5 Bytes JMP 6BB45214 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] USER32.dll!MessageBoxExW 7637D65D 5 Bytes JMP 6BB451B2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] ole32.dll!OleLoadFromStream 77661E80 5 Bytes JMP 6BB45717 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] ole32.dll!CoGetTreatAsClass + D2F 7767FAE3 7 Bytes JMP 0317053E
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] ole32.dll!CoCreateInstance 77699F3E 5 Bytes JMP 6BA4DB70 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3928] ole32.dll!CoCreateInstance + 3E 77699F7C 7 Bytes JMP 031705F8
.text C:\Program Files\Internet Explorer\iexplore.exe[5348] USER32.dll!CreateWindowExW 76331305 5 Bytes JMP 6BA4DB14 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5348] USER32.dll!DialogBoxParamW 763510B0 5 Bytes JMP 6B975505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5348] USER32.dll!DialogBoxIndirectParamW 76352EF5 5 Bytes JMP 6BB453AF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5348] USER32.dll!DialogBoxParamA 76368152 5 Bytes JMP 6BB4534C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5348] USER32.dll!DialogBoxIndirectParamA 7636847D 5 Bytes JMP 6BB45412 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5348] USER32.dll!MessageBoxIndirectA 7637D4D9 5 Bytes JMP 6BB452E1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5348] USER32.dll!MessageBoxIndirectW 7637D5D3 5 Bytes JMP 6BB45276 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5348] USER32.dll!MessageBoxExA 7637D639 5 Bytes JMP 6BB45214 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5348] USER32.dll!MessageBoxExW 7637D65D 5 Bytes JMP 6BB451B2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74967817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [749BA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7496BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7495F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [749675E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7495E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74998395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7496DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7495FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7495FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [749571CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [749ECAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7498C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7495D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74956853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7495687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74962AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.1 8342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
---- EOF - GMER 1.0.15 ----
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
DFW's Avatar
DFW DFW is offline DFW is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 1,458 posts.
 
Join Date: Jun 2004
Location: 127.0.0.1 (UK)
04-Apr-2012, 05:52 PM #11
Hi CarpenterMan123

I'm DFW and I am going to try and help you with your Malware problem. Please observe the following points and rules while we work:
  • The clean up process can take time. Please continue to review my answers until I tell you your machine is clear, absence of symptoms does not mean that everything is clear.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Some of the Logs we ask for can take some time to Analise, so please be patient
  • This may or may not, solve other issues you have with your machine.



Quote:
Windows Vista & 7 Advice
All applications I ask to be used will require to be run in Administrator mode. IE: Right click on and select Run as Administrator.
Your Operating System in use comes with a inbuilt utility called User Access Control(UAC).
When prompted by this with anything I ask you to do carry out please select the option Allow.


We will remove the leftovers of Avira as we go, Avira have a tool to remove the registry entries that are left behind, which we run sortly, we will remove the
SERVICES / DRIVERS and files as we clean your system.




P2P Warning!
  • IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    360Share

    Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
    Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
    I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

    Please read these short reports on the dangers of peer-2-peer programs and file sharing.
    I would recommend that you uninstall the above, however that choice is up to you.
    If you decide to keep the program in spite of the risks involved, do not use it until I have finished cleaning your computer and have given you the all clear.




Upload File/Files for testing

Please go to Virustotal

Copy/paste each file and path into the white box at the top one at a time.
Quote:
C:\Users\Steve\AppData\Roaming\Microsoft\Windows\fikwfgxw.exe
Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :





Download and Run MalwareBytes' Anti-Malware It is free for home use.
Please go here to the Download Location, click on Download in the Free column..
When the next page comes up, click on the Download Now button.
  • After clicking on the download and choosing Save, the "Save to location" dialog will come up.
  • Click the browse folders button, then click on Desktop on the left as the location for the installer and click Save again. Close the dialog when the download is complete.
  • You should now have a desktop icon named mbam-setup.exe. (If the download was saved somewhere else, locate it and copy or move it to your desktop).
  • Right click it, choose Run as administrator and Continue
  • Let it install where it wants to, with the default settings, and click Finish.
  • If an update is found, it will download and install the latest version. A shield symbol will show on the desktop icon while it is updating, and will disappear when it's done.
  • If necessary, start Malwarebytes Anti-Malware again.
    (You can Decline any Offer for a Trial if you don't want the paid version)
  • Once the program has started up, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items, check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any "Scan" log listed to open its contents. The logs are listed and named by time/date stamp.






Please post back

File scan results.
MalwareBytes Log



.
CarpenterMan123's Avatar
CarpenterMan123 CarpenterMan123 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Feb 2009
05-Apr-2012, 10:59 AM #12
Hi DFW and thanks for your help. I just uninstalled 360 Share and am wondering if I need to delete the songs I got from it. I've gone to Virustotal and although the "scan it" button is active, I don't see any signs of a scan taking place. I will now try the MalwareBytes site.
DFW's Avatar
DFW DFW is offline DFW is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 1,458 posts.
 
Join Date: Jun 2004
Location: 127.0.0.1 (UK)
05-Apr-2012, 12:30 PM #13
Ok just run the MalwareBytes scan and post back the log and we will take it from there.
CarpenterMan123's Avatar
CarpenterMan123 CarpenterMan123 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Feb 2009
05-Apr-2012, 04:12 PM #14
I've got the malware stuff but I did have a problem. The first time I scanned it my computer seemed to freeze up, and after an hour of repairng I shut it off. I wasn't able to get a log for it but if I remember right, there were about 360 items detected and I think all were adware except the last 4 items (for which we have a log)

dows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19190
Steve :: STEVE-PC [administrator]
4/5/2012 2:00:04 PM
mbam-log-2012-04-05 (14-00-04).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195834
Time elapsed: 8 minute(s), 24 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 4
C:\Users\Steve\AppData\Roaming\RegTool (Rogue.RegTool) -> Quarantined and deleted successfully.
C:\Users\Steve\AppData\Roaming\RegTool\Results (Rogue.RegTool) -> Quarantined and deleted successfully.
C:\ProgramData\ResultTool (Adware.ResultTool) -> Quarantined and deleted successfully.
C:\Program Files\ResultTool (Adware.ResultTool) -> Quarantined and deleted successfully.
Files Detected: 0
(No malicious items detected)
(end)
DFW's Avatar
DFW DFW is offline DFW is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 1,458 posts.
 
Join Date: Jun 2004
Location: 127.0.0.1 (UK)
05-Apr-2012, 05:47 PM #15
Lets see if the first run of MalwareBytes created a log, as it would helpful to see what it removed.

Open Malwarebytes' Anti-Malware
Click on the Logs tab
The log you posted was dated 4/5/2012 2:00:04 PM
In the logs see if is a log timed just before this one

Please copy and paste into your next reply if it's there.




Uninstall programs
Old versions of Java can be exploited.
  • Click on Start.
  • All programs.
  • Accessories.
  • Run.
  • In the open text box copy/paste appwiz.cpl Then click Ok.
  • Uninstall the following if present.
Java Auto Updater
Java(TM) 6 Update 29

Reboot



Update Java SE Runtime Environment (JRE).

Please download from HERE
  • Find Java SE 7u3.
  • Click the Download JRE button to the right.
  • Choose the correct Platform and Multi-language. Windows x86 (32-bit) Offline, Next, check the box that says
    I agree to the Java SE Runtime Environment 7 License Agreement.
  • Click the Continue button.
  • Click on the filename under Windows Offline Installation and save it to your desktop.
  • Close all active windows.
  • Install the program.



Please download OTL by Old Timer and save it to your Desktop.
  • Right click on OTL.exe And select Run as administrator to run it.
  • Under Output, ensure that Standard Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
      Extra.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.



Please post back
both OTL Logs.
Malwarebytes Log from first run if possible.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑