PUP Whitesmoke

[gpkenny]

SuperAnti Virus detects 12 PUP Whitesmoke files, however SAV will not select the files for removal. I have tried avast 'Boot scan' to no avail. TDSS Killer detects no threats, nor does Trend Anti Virus. I have run cclean and have logs from SAV and Hijack This. Trend antivirus advises Malwareebytes is not a compatable programme.

Many thanks in advance for your support

Gary

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
****************************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
***************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
******************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
************************************************

Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

[gpkenny]

Hi Dave,

Thank you for your reply. Please find requested logs copied below:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5663

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

03/02/2011 03:27:31
mbam-log-2011-02-03 (03-27-31).txt

Scan type: Full scan (C:\|D:\|G:\|)
Objects scanned: 215097
Time elapsed: 41 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\WhiteSmokeTranslator (PUP.WhiteSmoke) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\WhiteSmokeTranslator (PUP.WhiteSmoke) -> Not selected for removal.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Users\FUJITSU\AppData\Roaming\whitesmoketranslator (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup (PUP.WhiteSmoke) -> Not selected for removal.

Files Infected:
c:\microgaming\Poker\pokertimempp\install.exe (PUP.Casino.Gen) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmoketranslator\stat.log (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\0x0409.ini (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\config.txt (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\data1.cab (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\data1.hdr (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\data2.cab (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\layout.bin (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\setup.ini (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\setup.inx (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\setup.iss (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\setup.log (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\setup.ocx (PUP.WhiteSmoke) -> Not selected for removal.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/03/2011 at 04:51 AM

Application Version : 4.48.1000

Core Rules Database Version : 6330
Trace Rules Database Version: 4142

Scan type       : Complete Scan
Total Scan Time : 01:00:44

Memory items scanned      : 573
Memory threats detected   : 0
Registry items scanned    : 7240
Registry threats detected : 5
File items scanned        : 78359
File threats detected     : 12

PUP.Whitesmoke
   C:\Users\FUJITSU\AppData\Roaming\WHITESMOKESETUP\0x0409.ini
   C:\Users\FUJITSU\AppData\Roaming\WHITESMOKESETUP\config.txt
   C:\Users\FUJITSU\AppData\Roaming\WHITESMOKESETUP\data1.cab
   C:\Users\FUJITSU\AppData\Roaming\WHITESMOKESETUP\data1.hdr
   C:\Users\FUJITSU\AppData\Roaming\WHITESMOKESETUP\data2.cab
   C:\Users\FUJITSU\AppData\Roaming\WHITESMOKESETUP\layout.bin
   C:\Users\FUJITSU\AppData\Roaming\WHITESMOKESETUP\setup.ini
   C:\Users\FUJITSU\AppData\Roaming\WHITESMOKESETUP\setup.inx
   C:\Users\FUJITSU\AppData\Roaming\WHITESMOKESETUP\setup.iss
   C:\Users\FUJITSU\AppData\Roaming\WHITESMOKESETUP\setup.log
   C:\Users\FUJITSU\AppData\Roaming\WHITESMOKESETUP\setup.ocx
   C:\Users\FUJITSU\AppData\Roaming\WHITESMOKESETUP
   HKLM\SOFTWARE\WhiteSmokeTranslator
   HKLM\SOFTWARE\WhiteSmokeTranslator#InstallOption
   HKLM\SOFTWARE\WhiteSmokeTranslator#DistID
   HKLM\SOFTWARE\WhiteSmokeTranslator#SerialKey
   HKU\S-1-5-21-3240795352-2179653177-716154972-1000\Software\WhiteSmokeTranslator


Results of screen317's Security Check version 0.99.8 
 Windows 7  (UAC is disabled!)
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 AVG 2011     
 Trend Micro Titanium Internet Security 
 Trend Micro™ Titanium™ Internet Security 
 WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
 SUPERAntiSpyware     
 CCleaner     
 Java(TM) 6 Update 23 
 Adobe Flash Player 10.1.102.64 
Adobe Reader X
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Trend Micro AMSP coreServiceShell.exe 
 Trend Micro UniClient UiFrmWrk uiWatchDog.exe
 Trend Micro UniClient UiFrmWrk uiSeAgnt.exe
 Trend Micro AMSP coreFrameworkHost.exe 
``````````End of Log````````````


DDS (Ver_10-12-12.02) - NTFSx86 
Run by FUJITSU at  5:01:32.93 on 03/02/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.44.1033.18.1913.953 [GMT 0:00]

AV: Trend Micro Titanium Internet Security *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium Internet Security *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\FUJITSU\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.inbox.com/homepage.aspx?tbid=80134&lng=en
mStart Page = hxxp://uk.yahoo.com
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [BitTorrent] "c:\program files\bittorrent\BitTorrent.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL ""
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\fujitsu\appdata\roaming\mozilla\firefox\profiles\uxf6sb5a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2642709&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d11bf4f&v=6.010.023.001&i=26&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - component: c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\firefoxextension\components\TmFFExt.dll
FF - plugin: c:\program files\google\google updater\2.4.1970.7372\npCIDetect14.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Conduit Engine : [email protected] - %profile%\extensions\[email protected]
FF - Ext: SearchElf 1.2 Community Toolbar: {f4e6547e-325b-403c-a3bb-ad29ed37a92f} - %profile%\extensions\{f4e6547e-325b-403c-a3bb-ad29ed37a92f}
FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\firefoxextension

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-2-2 196320]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-2-2 64080]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 AMService;AMService;c:\windows\temp\wqqd\setup.exe run --> c:\windows\temp\wqqd\setup.exe run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2011-02-03 02:43:16   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-02-02 03:31:11   388096   ----a-r-   c:\users\fujitsu\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-02-02 03:01:14   92112   ----a-w-   c:\windows\system32\drivers\tmtdi.sys
2011-02-02 03:01:06   80464   ----a-w-   c:\windows\system32\drivers\tmactmon.sys
2011-02-02 03:01:06   64080   ----a-w-   c:\windows\system32\drivers\tmevtmgr.sys
2011-02-02 03:01:06   189520   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2011-02-02 02:57:54   --------   d-----w-   c:\progra~2\Trend Micro
2011-02-02 02:57:53   --------   d-----w-   c:\program files\Trend Micro
2011-02-01 09:42:28   5890896   ----a-w-   c:\progra~2\microsoft\windows defender\definition updates\{43358f64-bba4-4d37-8584-2b2481887d7f}\mpengine.dll
2011-01-30 07:56:09   --------   d-----w-   c:\users\fujitsu\appdata\local\Yoga Poker
2011-01-30 07:55:46   --------   d---a-w-   c:\program files\Yoga Poker
2011-01-30 07:19:54   --------   d-----w-   c:\users\fujitsu\appdata\roaming\Absolute Poker
2011-01-30 07:19:38   --------   d-----w-   C:\Poker Application
2011-01-30 07:01:31   --------   d-----w-   c:\progra~2\Pokernet
2011-01-30 07:00:55   --------   d-----w-   c:\users\fujitsu\appdata\roaming\MyPokerLab
2011-01-30 07:00:04   --------   d-----w-   C:\Microgaming
2011-01-30 04:25:51   --------   d-----w-   c:\users\fujitsu\appdata\roaming\Mozilla-Cache
2011-01-26 14:33:10   --------   d-----w-   c:\users\fujitsu\appdata\local\Apple

==================== Find3M  ====================

2010-11-12 18:53:06   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-11-08 01:20:24   89088   ----a-w-   c:\windows\MBR.exe

============= FINISH:  5:02:51.96 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 11/01/2010 15:17:57
System Uptime: 03/02/2011 03:29:53 (2 hours ago)

Motherboard: FUJITSU SIEMENS |  | EF7     
Processor: Intel(R) Celeron(R) CPU          900  @ 2.20GHz | U2E1 | 2194/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 40 GiB total, 6.119 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 14.545 GiB free.
E: is CDROM ()
F: is Removable
G: is FIXED (NTFS) - 92 GiB total, 25.826 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP393: 02/02/2011 03:30:25 - Installed HiJackThis

==== Installed Programs ======================

AbiWord 2.8.6
Absolute Poker
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X
AVG 2011
BitTorrent
CCleaner
Debut Video Capture Software
Full Tilt Poker
Google Updater
HiJackThis
Java Auto Updater
Java(TM) 6 Update 23
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Search Enhancement Pack
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.13)
OGA Notifier 2.0.0048.0
SUPERAntiSpyware
Trend Micro Titanium Internet Security
Trend Micro™ Titanium™ Internet Security
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Media Player Firefox Plugin

==== Event Viewer Messages From Past Week ========

28/01/2011 04:09:38, Error: volsnap [35]  - The shadow copies of volume C: were aborted because the shadow copy storage failed to grow.
27/01/2011 09:01:23, Error: Server [2505]  - The server could not bind to the transport \Device\NetBT_Tcpip_{3A31D15F-69F1-47CA-A807-C03173B72555} because another computer on the network has the same name.  The server could not start.
03/02/2011 03:30:24, Error: Service Control Manager [7000]  - The lxcy_device service failed to start due to the following error:  The system cannot find the file specified.
02/02/2011 03:13:22, Error: Service Control Manager [7034]  - The Trend Micro Solution Platform service terminated unexpectedly.  It has done this 1 time(s).
01/02/2011 11:36:55, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

==== End Of File ===========================


Kind Regards

Gary

[SuperDave]

Please run MBAM again and, this time, remove the infections.
It's quite possible that you're running two AV programs on your computer; Trend Micro Titanium Internet Security 
and AVG 2011. If this is indeed true one will have to be disabled/remove because you should not have two active AV programs because they tend to conflict. You should remove AVG because it will also conflict with future scans. Here's the AVG Removal Tool.
AVG Antivirus - AVG Antivirus Remover utility

P2P - I see you have P2P software installed on your machine (BitTorrent). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
*********************************************
You are getting dangerously close to 15% free space on your harddrive. Any less than 15% and your computer will start acting weird. You should keep a close watch on this.

ComboFix will not run with AVG on your computer.

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
Link # 2
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Right-click combofix.exe and select Run as Administrator and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[gpkenny]

Thankyou for your reply.

Malwarebites will not select infected files for removal?

Please find combofix and hijack this logs copied below:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 08:15:34, on 04/02/2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inbox.com/homepage.aspx?tbid=80134&lng=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -update activex (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -update activex (User 'Default user')
O9 - Extra button: PokerTime - {00000000-0000-0000-0000-000000000000} - (no file) (HKCU)
O9 - Extra button: Absolute Poker - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Users\FUJITSU\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Users\FUJITSU\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: AMService - Unknown owner - C:\Windows\TEMP\wqqd\setup.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcy_device - Unknown owner - C:\Windows\system32\lxcycoms.exe (file missing)

--
End of file - 3552 bytes


ComboFix 11-01-31.02 - FUJITSU 04/02/2011   7:48.4.1 - x86
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.44.1033.18.1913.1380 [GMT 0:00]
Running from: c:\users\FUJITSU\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((   Files Created from 2011-01-04 to 2011-02-04  )))))))))))))))))))))))))))))))
.

2011-02-04 07:53 . 2011-02-04 07:53   --------   d-----w-   c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-02-04 07:53 . 2011-02-04 07:53   --------   d-----w-   c:\users\Public\AppData\Local\temp
2011-02-04 07:53 . 2011-02-04 07:53   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-02-04 05:50 . 2010-12-20 18:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-04 05:50 . 2010-12-20 18:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-02-04 05:26 . 2011-02-04 07:53   --------   d-----w-   c:\users\FUJITSU\AppData\Local\temp
2011-02-04 05:18 . 2011-02-02 02:54   203600   ----a-w-   c:\windows\TmNSCIns.dll
2011-02-04 05:18 . 2011-02-02 02:54   319456   ----a-w-   c:\windows\DIFxAPI.dll
2011-02-03 02:43 . 2011-02-04 05:50   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-02-02 03:00 . 2011-02-02 03:00   --------   d-----w-   c:\windows\system32\config\systemprofile\AppData\Local\Trend Micro
2011-02-02 02:57 . 2011-02-04 05:18   --------   d-----w-   c:\programdata\Trend Micro
2011-02-02 02:57 . 2011-02-04 07:45   --------   d-----w-   c:\program files\Trend Micro
2011-02-01 09:42 . 2011-01-13 09:41   5890896   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{43358F64-BBA4-4D37-8584-2B2481887D7F}\mpengine.dll
2011-01-30 07:56 . 2011-01-30 07:56   --------   d-----w-   c:\users\FUJITSU\AppData\Local\Yoga Poker
2011-01-30 07:55 . 2011-01-30 08:03   --------   d---a-w-   c:\program files\Yoga Poker
2011-01-30 07:19 . 2011-01-30 07:40   --------   d-----w-   c:\users\FUJITSU\AppData\Roaming\Absolute Poker
2011-01-30 07:19 . 2011-01-30 07:19   --------   d-----w-   C:\Poker Application
2011-01-30 07:01 . 2011-01-30 07:02   --------   d-----w-   c:\programdata\Pokernet
2011-01-30 07:00 . 2011-01-30 07:06   --------   d-----w-   c:\users\FUJITSU\AppData\Roaming\MyPokerLab
2011-01-30 07:00 . 2011-01-30 07:00   --------   d-----w-   C:\Microgaming
2011-01-30 04:25 . 2011-01-30 04:27   --------   d-----w-   c:\users\FUJITSU\AppData\Roaming\Mozilla-Cache
2011-01-26 14:33 . 2011-02-01 10:19   --------   d-----w-   c:\program files\QuickTime
2011-01-26 14:33 . 2011-01-26 14:33   --------   d-----w-   c:\users\FUJITSU\AppData\Local\Apple
2011-01-26 14:33 . 2011-01-26 14:33   --------   d-----w-   c:\programdata\Apple

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-29 21:24 . 2010-01-28 23:17   710976   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-01-27 08:55 . 2010-01-22 11:01   710976   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-12-25 05:51 . 2009-07-13 23:11   78416   ----a-w-   c:\windows\system32\drivers\mountmgr.sys
2010-12-21 09:02 . 2010-12-21 09:02   98392   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-11-12 18:53 . 2010-05-11 07:46   472808   ----a-w-   c:\windows\system32\deployJava1.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2010-12-01 397176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-06-16 231888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R2 AMService;AMService;c:\windows\TEMP\wqqd\setup.exe run

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe

R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys

R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-24 1343400]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]

.
Contents of the 'Scheduled Tasks' folder

2011-02-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-09-27 05:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.inbox.com/homepage.aspx?tbid=80134&lng=en
mStart Page = hxxp://uk.yahoo.com
FF - ProfilePath - c:\users\FUJITSU\AppData\Roaming\Mozilla\Firefox\Profiles\uxf6sb5a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2642709&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d11bf4f&v=6.010.023.001&i=26&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Conduit Engine : [email protected] - %profile%\extensions\[email protected]
FF - Ext: SearchElf 1.2 Community Toolbar: {f4e6547e-325b-403c-a3bb-ad29ed37a92f} - %profile%\extensions\{f4e6547e-325b-403c-a3bb-ad29ed37a92f}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-02-04  07:55:16
ComboFix-quarantined-files.txt  2011-02-04 07:55
ComboFix2.txt  2011-02-04 05:26
ComboFix3.txt  2010-12-22 08:50

Pre-Run: 13,886,377,984 bytes free
Post-Run: 13,703,430,144 bytes free

- - End Of File - - 3A29FE679E041DEB79EF3AD4D9036643

Regards

[SuperDave]

Malwarebites will not select infected files for removal?

Please uninstall MBAM. Download and run a new one.

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
***************************************************************************
Did you address this issue?

It's quite possible that you're running two AV programs on your computer; Trend Micro Titanium Internet Security 
and AVG 2011. If this is indeed true one will have to be disabled/remove because you should not have two active AV programs because they tend to conflict. You should remove AVG because it will also conflict with future scans. Here's the AVG Removal Tool.

***********************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The

log will be saved automatically in the same folder Sysprot.exe was
extracted to. Open the text file and copy/paste the log here.
[/list]

[gpkenny]

Thankyou for your reply.

I have downloaded and run AVG removal tool.

I reinstalled Malwarebytes. The programme detects the infected files, however lists 'no action taken' next to the files detected and will not remove.

Please find requesgted logs copied below:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5679

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

04/02/2011 22:04:56
mbam-log-2011-02-04 (22-04-56).txt

Scan type: Full scan (C:\|D:\|G:\|)
Objects scanned: 211376
Time elapsed: 30 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\WhiteSmokeTranslator (PUP.WhiteSmoke) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\WhiteSmokeTranslator (PUP.WhiteSmoke) -> Not selected for removal.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup (PUP.WhiteSmoke) -> Not selected for removal.

Files Infected:
c:\microgaming\Poker\pokertimempp\install.exe (PUP.Casino.Gen) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\0x0409.ini (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\config.txt (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\data1.cab (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\data1.hdr (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\data2.cab (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\layout.bin (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\setup.ini (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\setup.inx (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\setup.iss (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\setup.log (PUP.WhiteSmoke) -> Not selected for removal.
c:\Users\FUJITSU\AppData\Roaming\whitesmokesetup\setup.ocx (PUP.WhiteSmoke) -> Not selected for removal.


SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 932C1000
Module End: 932CC000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_msahci.sys
Service Name: ---
Module Base: 932CC000
Module End: 932D6000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpfve.sys
Service Name: ---
Module Base: 932D6000
Module End: 932E7000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\Catalog\BackupGlobalCatalog
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\Catalog\GlobalCatalog
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\Catalog
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\SPPMetadataCache\{3d9ceafe-849c-4eda-ad74-6c76672bfe43}
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\SPPMetadataCache
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTkerberos.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
Status: Access denied

Kind Regards

[SuperDave]

Ok. Let's try this:

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[gpkenny]

Hello Dave,

ESET did not detect any threats and did not produce a log . SAS and Malwarebytes still record 12 Whitesmoke infected files.

Regards

[SuperDave]

Malwarebites will not select infected files for removal?

Can you select them yourself?
Update MBAM and run another scan and post the logs. I'll figure out some way of getting rid of them.

[gpkenny]

Thanks for your reply.

I'm embarrassed, MBAM does indeed have an option to self select and successfully remove infected files. Please close this thread and accept my apologies.

Many thanks for your help.

Kind Regards

[SuperDave]

Good. We just need to do some cleanup.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

*********************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
**********************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[gpkenny]

All done...... thanks a million......the clean up and add - ons have made a real difference to my machines performance.

I'd appreciate any advice on tutorials to lean more ?

Regards 

[SuperDave]

You're welcome. As for the tutorials, you can search for a tutorial for whatever problem you're having and you should be able to find one. YouTube has lots of them. I will lock this thread. If you need it re-opened, please send me a pm.