Author Topic: My computer is sending out emails! Virus? (Read 15448 times)

Libera · « **Reply #15 on:** September 02, 2010, 09:02:01 PM »

Ok I tried again, it says the source file cannot be read? Tried again, then it says an unknown error occurred.
From McAfee I get this pop-up:

About this Trojan
Detected: Artemis!270F22429B2F (Trojan), Artemis!270F22429B2F (Trojan)
Location: C:\Users\Sanna\AppData\Local\Mozilla\Firefox\Profiles\vs32t4xs.default\Cache\1EF26877d01

Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer.

I will try to get it on a different computer asap

ETA:
I disabled McAfee, after which it let me download Combofix. As soon as Mc Afee came back on, it removed Combofix, automatically! But I got the log, here it is:

ComboFix 10-09-01.04 - Sanna 09/02/2010 20:59:39.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.935 [GMT -7:00]
Running from: c:\users\Sanna\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))
.

2010-09-03 04:08 . 2010-09-03 04:08   --------   d-----w-   c:\users\Sanna\AppData\Local\temp
2010-09-03 04:08 . 2010-09-03 04:08   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-09-03 04:08 . 2010-09-03 04:08   --------   d-----w-   c:\users\Mcx1\AppData\Local\temp
2010-09-03 04:08 . 2010-09-03 04:08   --------   d-----w-   c:\users\IUSR_NMPR\AppData\Local\temp
2010-09-03 04:08 . 2010-09-03 04:08   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-09-03 04:08 . 2010-09-03 04:08   --------   d-----w-   c:\users\andy\AppData\Local\temp
2010-09-03 04:08 . 2010-09-03 04:08   --------   d-----w-   c:\users\andy.andy-PC\AppData\Local\temp
2010-09-02 23:23 . 2010-09-02 23:24   --------   d-----w-   c:\program files\QuickTime
2010-09-02 23:23 . 2010-09-02 23:23   --------   d-----w-   c:\programdata\Apple Computer
2010-08-26 00:08 . 2010-08-26 00:08   --------   d-----w-   c:\windows\Sun
2010-08-19 01:59 . 2010-08-19 01:59   388096   ----a-r-   c:\users\Sanna\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-18 06:31 . 2010-08-18 06:31   --------   d-----w-   c:\program files\Trend Micro
2010-08-18 06:25 . 2010-07-17 12:00   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-08-18 01:34 . 2010-08-18 01:34   63488   ----a-w-   c:\users\Sanna\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-18 01:34 . 2010-08-18 01:34   52224   ----a-w-   c:\users\Sanna\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-18 01:34 . 2010-08-18 01:34   117760   ----a-w-   c:\users\Sanna\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-18 01:34 . 2010-08-18 01:34   --------   d-----w-   c:\users\Sanna\AppData\Roaming\SUPERAntiSpyware.com
2010-08-18 01:34 . 2010-08-18 01:34   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-08-18 01:34 . 2010-08-18 01:34   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-08-18 01:25 . 2010-08-18 01:25   --------   d-----w-   c:\programdata\Yahoo! Companion
2010-08-18 01:25 . 2010-08-18 01:25   --------   d-----w-   c:\program files\CCleaner
2010-08-12 23:54 . 2010-06-08 17:35   3600768   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-08-12 23:54 . 2010-06-08 17:35   3548040   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-08-12 23:54 . 2010-06-11 16:15   1248768   ----a-w-   c:\windows\system32\msxml3.dll
2010-08-12 23:54 . 2010-06-18 15:04   302080   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-08-12 23:54 . 2010-06-18 15:04   144896   ----a-w-   c:\windows\system32\drivers\srv2.sys
2010-08-12 23:54 . 2010-06-16 16:04   905088   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2010-08-09 00:18 . 2010-08-09 00:19   --------   d-----w-   c:\users\Sanna\AppData\Roaming\Ipswitch
2010-08-09 00:17 . 2010-08-09 00:17   --------   d-----w-   c:\programdata\Ipswitch
2010-08-09 00:17 . 2010-08-09 00:17   --------   d-----w-   c:\program files\Ipswitch
2010-08-09 00:16 . 2010-08-09 00:16   --------   d-----w-   c:\users\Sanna\AppData\Roaming\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 03:16 . 2008-04-07 16:53   --------   d-----w-   c:\program files\Common Files\Adobe
2010-08-26 02:22 . 2007-06-14 06:08   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-08-26 00:58 . 2009-08-26 05:18   --------   d-----w-   c:\users\Sanna\AppData\Roaming\gtk-2.0
2010-08-20 17:42 . 2007-02-26 16:32   --------   d-----w-   c:\programdata\WildTangent
2010-08-18 06:25 . 2007-02-26 16:40   --------   d-----w-   c:\program files\Common Files\Java
2010-08-18 06:25 . 2007-02-26 16:40   --------   d-----w-   c:\program files\Java
2010-08-18 01:25 . 2007-06-20 05:11   --------   d-----w-   c:\program files\Yahoo!
2010-08-13 10:02 . 2007-02-26 16:37   --------   d-----w-   c:\programdata\Microsoft Help
2010-08-13 10:01 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-08-09 00:17 . 2007-02-26 16:28   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-07-20 02:30 . 2007-07-02 22:01   2314   ----a-w-   c:\users\Sanna\AppData\Roaming\wklnhst.dat
2010-06-28 04:22 . 2010-06-28 04:22   501936   ----a-w-   c:\programdata\Google\Google Toolbar\Update\gtbDBA2.tmp.exe
2010-06-26 06:05 . 2010-08-12 23:55   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-12 23:55   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-12 23:55   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-12 23:55   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2010-06-25 21:34 . 2010-06-25 21:34   690952   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-06-21 13:37 . 2010-08-12 23:55   2037760   ----a-w-   c:\windows\system32\win32k.sys
2010-06-18 17:31 . 2010-08-12 23:55   36864   ----a-w-   c:\windows\system32\rtutils.dll
2010-06-11 16:16 . 2010-08-12 23:55   274944   ----a-w-   c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-16 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [2006-11-02 303104]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"McAfeeUpdate"="c:\program files\McAfee\MSC\McUpdUtl.exe" [2010-02-11 300352]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-02-22 222504]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-16 151552]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2008-05-22 151552]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\users\Sanna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):27,02,49,61,61,48,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2649331228-3696308728-864307741-1001]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2649331228-3696308728-864307741-500]
"EnableNotificationsRef"=dword:00000002

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 135664]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-18 23680]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-08-20 716272]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\DRIVERS\nmsgopro.sys [2006-09-28 28672]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-02-26 5504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ     FontCache
getPlusHelper   REG_MULTI_SZ     getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-03 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 16:54]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 16:54]

2010-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-10 20:22]

2010-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-10 20:22]

2010-09-03 c:\windows\Tasks\Norton Security Scan for Sanna.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-02-18 14:31]

2010-08-11 c:\windows\Tasks\TASK20100810204837.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810204956.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810205032.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810212436.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810212448.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810212457.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810212507.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810212514.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810213336.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810214229.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810214240.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810214247.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810214301.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810214351.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810214359.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810214424.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810214433.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810214802.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810214815.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810214824.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810214832.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100810214841.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-13 c:\windows\Tasks\TASK20100811154011.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-13 c:\windows\Tasks\TASK20100811154254.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-13 c:\windows\Tasks\TASK20100811155208.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-11 c:\windows\Tasks\TASK20100811155426.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-13 c:\windows\Tasks\TASK20100811155619.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-13 c:\windows\Tasks\TASK20100811161118.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-13 c:\windows\Tasks\TASK20100811161456.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-13 c:\windows\Tasks\TASK20100811194013.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]

2010-08-12 c:\windows\Tasks\TASK20100811194152.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=1033&_lang=EN
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5428
uInternet Settings,ProxyOverride = <local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Sanna\AppData\Roaming\Mozilla\Firefox\Profiles\vs32t4xs.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=1033&_lang=EN
FF - component: c:\users\Sanna\AppData\Roaming\Mozilla\Firefox\Profiles\vs32t4xs.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Sanna\AppData\Roaming\Mozilla\Firefox\Profiles\vs32t4xs.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\Sanna\AppData\Roaming\Mozilla\Firefox\Profiles\vs32t4xs.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2649331228-3696308728-864307741-1002\Software\SecuROM\License information*]
"datasecu"=hex:0c,4a,79,53,57,5b,17,b2,93,c1,9b,d3,d2,ba,37,ca,1e,1a,ed,5a,80,
5d,03,0f,2c,62,a9,34,5a,90,d1,1d,8e,18,1a,24,58,85,c5,ea,4a,66,05,ff,d4,03,\
"rkeysecu"=hex:c6,84,0b,26,f1,a9,ea,d9,28,51,48,fe,38,e9,69,1d

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-02 21:13:37
ComboFix-quarantined-files.txt 2010-09-03 04:13
ComboFix2.txt 2010-08-20 16:06

Pre-Run: 84,794,810,368 bytes free
Post-Run: 84,803,801,088 bytes free

- - End Of File - - 3291FF7215808E2B812A6A53CF2F39AB

SuperDave · « **Reply #16 on:** September 03, 2010, 05:42:29 PM »

Please read here for more information about WildTangent. Your choice if you want to remove it or not.

If you choose to follow my advice, please follow these instructions.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

•WildTangent Web Driver or anything related to WildTangent.
********************************

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Libera · « **Reply #17 on:** September 06, 2010, 06:02:54 PM »

OK, so it took me a while to figure the gmer rootkit thingy out. Everytime I ran it, windows would shut down immediately afterwards (blue screen), so I wasn't able to save the log. But now I got it.

Also, I tried to find the WildTangent thing, but it is not in my programlist, how do I find it and uninstall it?

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-06 17:13:35
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Sanna\AppData\Local\Temp\kxldrpob.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8DCC879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8DCC8738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8DCC874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8DCC87DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8DCC881F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8DCC8710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8DCC8724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8DCC87B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8DCC8847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8DCC8833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8DCC878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8DCC8776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8DCC880B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8DCC87F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8DCC87C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8DCC8762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 81E3D9D2 5 Bytes JMP 8DCC87CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 81FD15B5 5 Bytes JMP 8DCC8823 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 81FDBB82 5 Bytes JMP 8DCC8766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82002DA3 5 Bytes JMP 8DCC880F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 820224FA 7 Bytes JMP 8DCC87E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 820227BD 5 Bytes JMP 8DCC87F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82026528 5 Bytes JMP 8DCC877A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 8202BF3D 7 Bytes JMP 8DCC87B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 8202E15A 5 Bytes JMP 8DCC8728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 82032C08 5 Bytes JMP 8DCC8714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 82053E5B 5 Bytes JMP 8DCC87A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 820648D2 5 Bytes JMP 8DCC8837 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 82065AD6 5 Bytes JMP 8DCC884B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 820A38BF 5 Bytes JMP 8DCC873C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 820A390A 7 Bytes JMP 8DCC8750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 820A43C7 5 Bytes JMP 8DCC878E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
C:\Program Files\CyberLink\PowerDVD\000.fcl entry point in "" section [0xAB81F000]
.clc C:\Program Files\CyberLink\PowerDVD\000.fcl unknown last section [0xAB820000, 0x1000, 0x00000000]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[660] kernel32.dll!GetStartupInfoW 75CD1929 5 Bytes JMP 00060F3A
.text C:\Windows\system32\services.exe[660] kernel32.dll!GetStartupInfoA 75CD19C9 5 Bytes JMP 00060080
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateProcessW 75CD1BF3 5 Bytes JMP 000600BD
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateProcessA 75CD1C28 5 Bytes JMP 000600AC
.text C:\Windows\system32\services.exe[660] kernel32.dll!VirtualProtect 75CD1DC3 5 Bytes JMP 00060F5C
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateNamedPipeA 75CD2EF5 5 Bytes JMP 00060FD4
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateNamedPipeW 75CD5C0C 5 Bytes JMP 00060025
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreatePipe 75CF8E6E 5 Bytes JMP 00060F4B
.text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryExW 75CF9109 5 Bytes JMP 00060F6D
.text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryW 75CF9362 5 Bytes JMP 00060FAF
.text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryExA 75CF94B4 5 Bytes JMP 00060F8A
.text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryA 75CF94DC 5 Bytes JMP 00060036
.text C:\Windows\system32\services.exe[660] kernel32.dll!VirtualProtectEx 75CFDBDA 5 Bytes JMP 0006005B
.text C:\Windows\system32\services.exe[660] kernel32.dll!GetProcAddress 75D1903B 5 Bytes JMP 00060F0B
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateFileW 75D1AECB 5 Bytes JMP 0006000A
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateFileA 75D1CE5F 5 Bytes JMP 00060FEF
.text C:\Windows\system32\services.exe[660] kernel32.dll!WinExec 75D65CF7 5 Bytes JMP 00060091
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyExA 773C39AB 5 Bytes JMP 00870F97
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyA 773C3BA9 5 Bytes JMP 00870FB9
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyA 773C89C7 5 Bytes JMP 00870000
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyW 773D391E 5 Bytes JMP 00870FA8
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyExW 773D41F1 5 Bytes JMP 00870054
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyExA 773D7C42 5 Bytes JMP 0087001B
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyW 773DE2B5 5 Bytes JMP 00870FEF
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyExW 773E7BA1 5 Bytes JMP 00870FCA
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_wsystem 761B7F2F 5 Bytes JMP 00850FAD
.text C:\Windows\system32\services.exe[660] msvcrt.dll!system 761B804B 5 Bytes JMP 00850FBE
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_creat 761BBBE1 5 Bytes JMP 0085001D
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_open 761BD106 5 Bytes JMP 00850FEF
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_wcreat 761BD326 5 Bytes JMP 0085002E
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_wopen 761BD501 5 Bytes JMP 0085000C
.text C:\Windows\system32\services.exe[660] WS2_32.dll!socket 762B36D1 5 Bytes JMP 00860000
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoW 75CD1929 5 Bytes JMP 00190F91
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoA 75CD19C9 1 Byte [E9]
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoA 75CD19C9 5 Bytes JMP 001900CD
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessW 75CD1BF3 5 Bytes JMP 0019010D
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessA 75CD1C28 5 Bytes JMP 00190F6C
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!VirtualProtect 75CD1DC3 5 Bytes JMP 001900AB
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeA 75CD2EF5 5 Bytes JMP 0019002C
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeW 75CD5C0C 5 Bytes JMP 00190047
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreatePipe 75CF8E6E 5 Bytes JMP 00190FAC
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryExW 75CF9109 5 Bytes JMP 00190084
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryW 75CF9362 5 Bytes JMP 00190062
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryExA 75CF94B4 5 Bytes JMP 00190073
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryA 75CF94DC 5 Bytes JMP 00190FD1
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!VirtualProtectEx 75CFDBDA 5 Bytes JMP 001900BC
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetProcAddress 75D1903B 5 Bytes JMP 00190128
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateFileW 75D1AECB 5 Bytes JMP 0019001B
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateFileA 75D1CE5F 5 Bytes JMP 00190000
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!WinExec 75D65CF7 5 Bytes JMP 001900E8
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExA 773C39AB 5 Bytes JMP 004E0F8D
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyA 773C3BA9 5 Bytes JMP 004E0025
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyA 773C89C7 5 Bytes JMP 004E000A
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyW 773D391E 5 Bytes JMP 004E0FA8
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExW 773D41F1 5 Bytes JMP 004E004A
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExA 773D7C42 5 Bytes JMP 004E0FD4
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyW 773DE2B5 5 Bytes JMP 004E0FEF
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExW 773E7BA1 5 Bytes JMP 004E0FC3
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wsystem 761B7F2F 5 Bytes JMP 001A0F7A
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!system 761B804B 5 Bytes JMP 001A0F95
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_creat 761BBBE1 5 Bytes JMP 001A0FB7
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_open 761BD106 5 Bytes JMP 001A0FEF
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wcreat 761BD326 5 Bytes JMP 001A0FA6
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wopen 761BD501 5 Bytes JMP 001A0FDE
.text C:\Windows\system32\lsass.exe[692] WS2_32.dll!socket 762B36D1 5 Bytes JMP 001B0FEF
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW 75CD1929 5 Bytes JMP 004B00B1
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoA 75CD19C9 5 Bytes JMP 004B0F61
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessW 75CD1BF3 5 Bytes JMP 004B00DD
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessA 75CD1C28 5 Bytes JMP 004B0F46
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtect 75CD1DC3 5 Bytes JMP 004B0056
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 75CD2EF5 5 Bytes JMP 004B0FB9
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 75CD5C0C 5 Bytes JMP 004B0014
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreatePipe 75CF8E6E 5 Bytes JMP 004B0082
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW 75CF9109 5 Bytes JMP 004B0F7C
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryW 75CF9362 5 Bytes JMP 004B0F97
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExA 75CF94B4 5 Bytes JMP 004B0039
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryA 75CF94DC 5 Bytes JMP 004B0FA8
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtectEx 75CFDBDA 5 Bytes JMP 004B0071
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetProcAddress 75D1903B 5 Bytes JMP 004B0F2B
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileW 75D1AECB 5 Bytes JMP 004B0FCA
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileA 75D1CE5F 5 Bytes JMP 004B0FE5
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!WinExec 75D65CF7 5 Bytes JMP 004B00C2
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wsystem 761B7F2F 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wsystem 761B7F2F 5 Bytes JMP 004C0033
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!system 761B804B 5 Bytes JMP 004C0FA8
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_creat 761BBBE1 5 Bytes JMP 004C0FD4
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_open 761BD106 5 Bytes JMP 004C000C
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wcreat 761BD326 5 Bytes JMP 004C0FC3
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wopen 761BD501 5 Bytes JMP 004C0FEF
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 773C39AB 5 Bytes JMP 00520F83
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 773C3BA9 5 Bytes JMP 00520FAF
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 773C89C7 5 Bytes JMP 00520FE5
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 773D391E 5 Bytes JMP 00520F9E
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 773D41F1 5 Bytes JMP 00520040
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 773D7C42 5 Bytes JMP 00520000
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 773DE2B5 5 Bytes JMP 00520FCA
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 773E7BA1 5 Bytes JMP 00520011
.text C:\Windows\system32\svchost.exe[880] WS2_32.dll!socket 762B36D1 5 Bytes JMP 00510000
.text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetStartupInfoW &nb

SuperDave · « **Reply #18 on:** September 06, 2010, 06:09:25 PM »

You could try searching for it this way.

Delete An Uninstall Entry

•Start HijackThis

•Click on the Open the Misc Tools section

•Click on the Open Uninstall Manager button.

•Highlight the entry you want to remove. WildTangent
•Click Delete this entry
**************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Libera · « **Reply #19 on:** September 06, 2010, 10:13:40 PM »

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f9a6e9326aee944993376a399242ae6a
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-07 01:47:12
# local_time=2010-09-06 06:47:12 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 789324 789324 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776573 100 96 11575405 36657156 0 0
# compatibility_mode=5892 16776573 100 100 0 120431560 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=19
# found=0
# cleaned=0
# scan_time=0
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f9a6e9326aee944993376a399242ae6a
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-07 04:15:47
# local_time=2010-09-06 09:15:47 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 789456 789456 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776573 100 96 11575537 36657288 0 0
# compatibility_mode=5892 16776573 100 100 0 120431692 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=197483
# found=3
# cleaned=3
# scan_time=8782
C:\Users\Sanna\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\7bb99554-596ef2e2   probably a variant of Win32/Agent.DYXWUMY trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\Sanna\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\7adbb65d-4a3b7957   multiple threats (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\Sanna\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\549f6065-54daa004   multiple threats (deleted - quarantined)   00000000000000000000000000000000   C

And the other one:

C:\Users\Sanna\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\7bb99554-596ef2e2   probably a variant of Win32/Agent.DYXWUMY trojan   deleted - quarantined
C:\Users\Sanna\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\7adbb65d-4a3b7957   multiple threats   deleted - quarantined
C:\Users\Sanna\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\549f6065-54daa004   multiple threats   deleted - quarantined

SuperDave · « **Reply #20 on:** September 07, 2010, 05:05:23 PM »

That looks good. If there are no other issues, it's time for some cleanup.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

*******************************

Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

*********************************

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

**************************************

Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
**********************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Libera · « **Reply #21 on:** September 15, 2010, 12:09:45 PM »

I did all of the above,
No more problems!

Thank you so much for all of your help!

Computer Hope Forum

News:

Author Topic: My computer is sending out emails! Virus? (Read 15448 times)

Libera

Re: My computer is sending out emails! Virus?

SuperDave

Re: My computer is sending out emails! Virus?

Libera

Re: My computer is sending out emails! Virus?

SuperDave

Re: My computer is sending out emails! Virus?

Libera

Re: My computer is sending out emails! Virus?

SuperDave

Re: My computer is sending out emails! Virus?

Libera

Re: My computer is sending out emails! Virus?