Unidentified Malware

**troothteller** · 12-08-2011 05:22 PM

I hope I am not wasting the time of all you kind folks. However, the retailier of my computer included a scanning program of its own which runs without generating any logs. I believe it is a sham that they created to intice you to keep the antivirus that they bundle with the computer. Anyway, yesterday I ran this scanning program which concluded stating that it found malware with showing its location. Then, I telephoned its technical support, which proposed to charge me $129 to remove the malware, as if I don't have any say in what stays on my computer. Since I already ran last Monday Panda (the program with which I replaced the original antivirus), Malwarebytes, SuperAntispyware and Temporary File Cleaner (by Justin Murray), I was curious about the location and identification of this malware. Those programs ran clean. Out of despiration, I installed and ran ESET. It found two occurrences of Win32/Toggle Application. They appear to be in a folder of installers of programs I did not use on this computer. I suppose I could get rid of them. My computer runs Windows 7 64-Bit and IE9. It is on a wireless network with an XP-Pro running IE8. The two programs that have the Toggle Application are versions of WinDVD, which I intended for the XP computer. They are trial programs for which I am unwilling to pay. Additionally, I could not run HiJact This until I checked off the box which states "Run As Administrator." So, I have logs for Panda, Malwarebytes, SuperAntispyware, ESET and HiJack This, which is still open on my computer. Which logs do you want first? Should I begin new scans with any of these programs?

**DonnaB** · 12-08-2011 10:18 PM

Hi troothteller,

My apologies for the delay in responding.

So, I have logs for Panda, Malwarebytes, SuperAntispyware, ESET and HiJack This, which is still open on my computer. Which logs do you want first?

Please post all the logs. Our removal experts are very busy at this time and your patience will be necessary.

Thank you for understanding!

Donna

**troothteller** · 12-08-2011 10:34 PM

Donna, Since this log seems to be most important, and most difficult to obtain, here is the first post:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:42:26 AM, on 12/8/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
C:\Program Files (x86)\Office Depot PC Support Agent\escont.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngrUI.exe
C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\ApVxdWin.exe
C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavBckPT.exe
C:\Program Files (x86)\Hewlett-Packard\SmartPrint\bootstrap.exe
C:\PROGRA~2\MICROS~2\wkcalrem.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSI | MSN
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = XFINITY by Comcast -- Official Customer Site | Email | Watch TV Online
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: QpBHO Class - {1658D3A1-9E13-4196-A82A-D70D70880F36} - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QuickPrintBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\IPSBHO.DLL (file missing)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll (file missing)
O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~2\WI3C8A~1\Datamngr\BROWSE~1.DLL
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Somoto Toolbar - {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - C:\Program Files (x86)\somototoolbar\vmntemplateX.dll
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2348.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll (file missing)
O3 - Toolbar: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2348.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2348.0\npwinext.dll
O3 - Toolbar: Somoto Toolbar - {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - C:\Program Files (x86)\somototoolbar\vmntemplateX.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files (x86)\Corel\WordPerfect Office X5\Programs\QFSCHD150.EXE"
O4 - HKLM\..\Run: [NBAgent] "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~2\WI3C8A~1\Datamngr\DATAMN~1.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\Inicio.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
O4 - Global Startup: Marketsplash Print Software.lnk = C:\Program Files (x86)\Hewlett-Packard\Marketsplash by HP\HPLocalWebPrintAgent.exe
O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
O8 - Extra context menu item: Copy to &Lightning Note - C:\Program Files (x86)\Corel\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files (x86)\Corel\WordPerfect Office X5\Programs\WPLauncher.hta
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech.com/devicedetect...etection32.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/...?1301405572200
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn...Detection2.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) -
O16 - DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} (WRC Class) - http://trial.trymicrosoftoffice.com/...soft/wrc32.ocx
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab...l_4.4.24.0.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\datamngr.dll C:\PROGRA~2\WI3C8A~1\Datamngr\IEBHO.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Active File Monitor V9 (AdobeActiveFileMonitor9.0) - Adobe Systems Incorporated - C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\windows\SysWOW64\atashost.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: Micro Star SCM - Micro-Star International Co., Ltd. - C:\Program Files (x86)\System Control Manager\MSIService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @C:\Program Files (x86)\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files (x86)\Nero\Update\NASvc.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Office Depot PC Support Agent - Support.com, Inc. - C:\Program Files (x86)\Office Depot PC Support Agent\esService.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files (x86)\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\pavsrvx86.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Panda Host Service (PSHost) - Unknown owner - c:\program files (x86)\panda security\panda internet security 2012\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PsImSvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PskSvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Program Files\Tablet\Pen\Pen_Tablet.exe
O23 - Service: Wacom Consumer Touch Service (TouchServicePen) - Wacom Technology, Corp. - C:\Program Files\Tablet\Pen\Pen_TouchService.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 17254 bytes

**troothteller** · 12-08-2011 11:11 PM

The Panda Log does not go into detail. It just states that it ran and whether or not it found anything. Here it is:

Panda Internet Security 2012 incident report
Filter selected:All, Date: All
INCIDENT NOTIFIED BY DATE-TIME RESULT ADDITIONAL INFORMATION
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Update Updates system 12/8/2011 7:41:38 AM Correct File modification signatures
Scan complete On-demand antivirus scan 12/7/2011 1:10:12 PM Scan:
Scan started On-demand antivirus scan 12/7/2011 1:07:12 PM Scan:
Update Updates system 12/7/2011 1:07:00 PM Correct File: Threat signatures
Update Updates system 12/6/2011 9:31:52 AM Correct File modification signatures
Scan complete On-demand antivirus scan 12/5/2011 10:15:46 PM Scan: Scanning the whole system
Scan started On-demand antivirus scan 12/5/2011 7:19:20 PM Scan: Scanning the whole system
Update Updates system 12/5/2011 5:45:05 PM Correct File modification signatures
Update Updates system 12/3/2011 7:55:25 AM Correct File modification signatures
Scan complete On-demand antivirus scan 12/2/2011 11:54:03 AM Scan:
Scan started On-demand antivirus scan 12/2/2011 11:51:47 AM Scan:
Update Updates system 12/2/2011 11:51:38 AM Correct File: Threat signatures
Scan complete On-demand antivirus scan 12/1/2011 3:00:30 PM Scan:
Scan started On-demand antivirus scan 12/1/2011 2:56:44 PM Scan:
Update Updates system 12/1/2011 2:56:34 PM Correct File: Threat signatures
Scan complete On-demand antivirus scan 11/30/2011 8:59:28 PM Scan: Scanning system
Scan started On-demand antivirus scan 11/30/2011 8:59:28 PM Scan: Scanning system
Scan complete On-demand antivirus scan 11/30/2011 12:14:30 PM Scan:
Scan started On-demand antivirus scan 11/30/2011 12:11:11 PM Scan:
Update Updates system 11/30/2011 12:11:09 PM Correct Type: Identity protection
Update Updates system 11/30/2011 12:11:03 PM Correct File: Threat signatures
Scan started On-demand antivirus scan 11/29/2011 11:36:58 AM Scan:
Update Updates system 11/29/2011 11:36:56 AM Correct Type: autofix hfp171104s19
Update Updates system 11/29/2011 11:36:51 AM Correct Type: autofix hfp171104s6
Update Updates system 11/29/2011 11:36:50 AM Correct Type: autofix hfp171104s3
Update Updates system 11/29/2011 11:36:46 AM Correct File: Threat signatures
Scan complete On-demand antivirus scan 11/29/2011 10:56:40 AM Scan: Scanning the whole system
Scan complete On-demand antivirus scan 11/29/2011 7:17:17 AM Scan: Scanning System
Scan complete On-demand antivirus scan 11/29/2011 7:16:28 AM Scan:
Scan started On-demand antivirus scan 11/29/2011 7:13:43 AM Scan: Scanning the whole system
Update Updates system 11/29/2011 7:12:43 AM Correct Type: Identity protection
Update Updates system 11/29/2011 7:12:38 AM Correct File modification signatures
Scan started On-demand antivirus scan 11/29/2011 7:12:38 AM Scan:
Update Updates system 11/29/2011 7:12:34 AM Incorrect Error: Error in the download process
Scan started On-demand antivirus scan 11/29/2011 7:12:33 AM Scan: Scanning System
Update Updates system 11/29/2011 7:12:33 AM Incorrect Error: Error in the download process
Update Updates system 11/29/2011 7:12:32 AM Incorrect Error: Error in the download process
Update Updates system 11/29/2011 7:12:31 AM Correct File: Threat signatures
Panda Internet Security 2012 incident report
Filter selected:All, Date: All
INCIDENT NOTIFIED BY DATE-TIME RESULT ADDITIONAL INFORMATION
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Update Updates system 12/8/2011 7:41:38 AM Correct File modification signatures
Scan complete On-demand antivirus scan 12/7/2011 1:10:12 PM Scan:
Scan started On-demand antivirus scan 12/7/2011 1:07:12 PM Scan:
Update Updates system 12/7/2011 1:07:00 PM Correct File: Threat signatures
Update Updates system 12/6/2011 9:31:52 AM Correct File modification signatures
Scan complete On-demand antivirus scan 12/5/2011 10:15:46 PM Scan: Scanning the whole system
Scan started On-demand antivirus scan 12/5/2011 7:19:20 PM Scan: Scanning the whole system
Update Updates system 12/5/2011 5:45:05 PM Correct File modification signatures
Update Updates system 12/3/2011 7:55:25 AM Correct File modification signatures
Scan complete On-demand antivirus scan 12/2/2011 11:54:03 AM Scan:
Scan started On-demand antivirus scan 12/2/2011 11:51:47 AM Scan:
Update Updates system 12/2/2011 11:51:38 AM Correct File: Threat signatures
Scan complete On-demand antivirus scan 12/1/2011 3:00:30 PM Scan:
Scan started On-demand antivirus scan 12/1/2011 2:56:44 PM Scan:
Update Updates system 12/1/2011 2:56:34 PM Correct File: Threat signatures
Scan complete On-demand antivirus scan 11/30/2011 8:59:28 PM Scan: Scanning system
Scan started On-demand antivirus scan 11/30/2011 8:59:28 PM Scan: Scanning system
Scan complete On-demand antivirus scan 11/30/2011 12:14:30 PM Scan:
Scan started On-demand antivirus scan 11/30/2011 12:11:11 PM Scan:
Update Updates system 11/30/2011 12:11:09 PM Correct Type: Identity protection
Update Updates system 11/30/2011 12:11:03 PM Correct File: Threat signatures
Scan started On-demand antivirus scan 11/29/2011 11:36:58 AM Scan:
Update Updates system 11/29/2011 11:36:56 AM Correct Type: autofix hfp171104s19
Update Updates system 11/29/2011 11:36:51 AM Correct Type: autofix hfp171104s6
Update Updates system 11/29/2011 11:36:50 AM Correct Type: autofix hfp171104s3
Update Updates system 11/29/2011 11:36:46 AM Correct File: Threat signatures
Scan complete On-demand antivirus scan 11/29/2011 10:56:40 AM Scan: Scanning the whole system
Scan complete On-demand antivirus scan 11/29/2011 7:17:17 AM Scan: Scanning System
Scan complete On-demand antivirus scan 11/29/2011 7:16:28 AM Scan:
Scan started On-demand antivirus scan 11/29/2011 7:13:43 AM Scan: Scanning the whole system
Update Updates system 11/29/2011 7:12:43 AM Correct Type: Identity protection
Update Updates system 11/29/2011 7:12:38 AM Correct File modification signatures
Scan started On-demand antivirus scan 11/29/2011 7:12:38 AM Scan:
Update Updates system 11/29/2011 7:12:34 AM Incorrect Error: Error in the download process
Scan started On-demand antivirus scan 11/29/2011 7:12:33 AM Scan: Scanning System
Update Updates system 11/29/2011 7:12:33 AM Incorrect Error: Error in the download process
Update Updates system 11/29/2011 7:12:32 AM Incorrect Error: Error in the download process
Update Updates system 11/29/2011 7:12:31 AM Correct File: Threat signatures

Originally Posted by DonnaB

Hi troothteller,

My apologies for the delay in responding.

Please post all the logs. Our removal experts are very busy at this time and your patience will be necessary.

Thank you for understanding!

Donna

**troothteller** · 12-08-2011 11:13 PM

Here is the Malwarebytes Log:

Malwarebytes' Anti-Malware 1.51.2.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 8320

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

12/5/2011 11:08:52 PM
mbam-log-2011-12-05 (23-08-52).txt

Scan type: Full scan (C:\|D:\|Q:\|)
Objects scanned: 323343
Time elapsed: 47 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Originally Posted by DonnaB

Hi troothteller,

My apologies for the delay in responding.

Please post all the logs. Our removal experts are very busy at this time and your patience will be necessary.

Thank you for understanding!

Donna

**troothteller** · 12-08-2011 11:17 PM

Here is the SuperAntiSpyware log:

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 12/06/2011 at 00:03 AM

Application Version : 5.0.1136

Core Rules Database Version : 8018
Trace Rules Database Version: 5830

Scan type : Complete Scan
Total Scan Time : 00:51:26

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned : 675
Memory threats detected : 0
Registry items scanned : 73547
Registry threats detected : 0
File items scanned : 58538
File threats detected : 0

Originally Posted by DonnaB

Hi troothteller,

My apologies for the delay in responding.

Please post all the logs. Our removal experts are very busy at this time and your patience will be necessary.

Thank you for understanding!

Donna

**troothteller** · 12-08-2011 11:20 PM

Here is the ESET log, where it identified malware, though possibly a false positive:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=62b53f29b96c8347acf0693025e9fd52
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-12-07 07:53:21
# local_time=2011-12-07 02:53:21 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1536 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776573 100 94 0 74825028 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=170758
# found=2
# cleaned=0
# scan_time=6023
C:\Users\user\Downloads\installer_intervideo_windvd.exe Win32/Toggle application (unable to clean) 00000000000000000000000000000000 I
C:\Users\user\Downloads\installer_windvd_gold.exe Win32/Toggle application (unable to clean) 00000000000000000000000000000000 I

Originally Posted by DonnaB

Hi troothteller,

My apologies for the delay in responding.

Please post all the logs. Our removal experts are very busy at this time and your patience will be necessary.

Thank you for understanding!

Donna

**DonnaB** · 01-28-2012 07:52 AM

Hi troothteller,

My apologies for the delay. As I stated in my email reply you were not intentionally overlooked. I thought you were being taken care of due to the number of replies posted to your thread, I should have looked closer.

However, the retailier of my computer included a scanning program of its own which runs without generating any logs. I believe it is a sham that they created to intice you to keep the antivirus that they bundle with the computer. Anyway, yesterday I ran this scanning program which concluded stating that it found malware with showing its location. Then, I telephoned its technical support, which proposed to charge me $129 to remove the malware, as if I don't have any say in what stays on my computer.

Your assumption is correct. Many retailers are paid to promote software. What was the name of the program?

After discussing the entries that ESET found with our expert:

ESET Scan:

# found=2
# cleaned=0
# scan_time=6023
C:\Users\user\Downloads\installer_intervideo_windvd.exe Win32/Toggle application (unable to clean) 00000000000000000000000000000000 I
C:\Users\user\Downloads\installer_windvd_gold.exe Win32/Toggle application (unable to clean) 00000000000000000000000000000000 I

We both agree that the installer in the download folder was targeted as malicious.

The two programs that have the Toggle Application are versions of WinDVD, which I intended for the XP computer.

Since WinDVD was intended for your XP, uninstall WinDVD from your Win7 and that should take care of those entries from being detected again.

Also, I'd like to point out few entries that could/should be removed with HiJack This:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\IPSBHO.DLL (file missing)
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll (file missing)
O2 - BHO: Somoto Toolbar - {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - C:\Program Files (x86)\somototoolbar\vmntemplateX.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll (file missing)
O3 - Toolbar: Somoto Toolbar - {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - C:\Program Files (x86)\somototoolbar\vmntemplateX.dll

Right click on HiJackThis and choose Run as Administrator, if the option is presented, then click on Do a system scan only. Place a check mark to the left of each of the entries above and click Fix Checked, close HiJackThis, then reboot, then do another system scan and post the log in your next reply.

Then go to Programs and Features and uninstall the mentioned Toolbars if found.

You can also follow the paths below and delete the folders:

C:\Program Files (x86)\WI3C8A~1
C:\Program Files (x86)\somototoolbar

Run ESET again to see if anything is detected this time.

Donna

**troothteller** · 01-30-2012 08:35 PM

Thank you, Donna. The program the retailer included in this computer is the Office Depot Support Agent.

**DonnaB** · 01-30-2012 09:21 PM

Hi troothteller,

You're welcome!

I'm assuming that you bought your computer at Office Depot. Right?

The software in question, Office Depot PC Support Agent, is totally unnecessary. You have Secunia installed which is a much more reliable program, serves the same purpose, and is highly recommended by some of the best renowned experts in Internet Security.

Personally, I would uninstall the Office Depot PC Support Agent software.

To do so, go to Control Panel > Programs and Features, right click and choose uninstall. If you do not plan on reinstalling the software (which I wouldn't) follow the path below and delete the folder as well.

C:\Program Files (x86)\Office Depot PC Support Agent

Have you taken the time to accomplish the tasks I asked you to do in post #8 above? When complete, please post another HiJackThis log and scan with ESET once again.

Also, I'd like to see an uninstall list if you don't mind. Please do the following:

Uninstall list HijackThis instructions:

Double click the HiJackThis Icon on the Desktop. On the Main Menu click on Open the Misc Tools section.

Under System Tools on the left, click on Open Uninstall Manager.

Then over to the right click on the Save List button and Save it to your Desktop so you may find it.

Please copy and paste the list from notepad into your next reply.

In your next reply, please post logs for:

1.) HiJackThis log
2.) HJT Uninstall list
3.) ESET log

Thank you.

View Poll Results: Do you consider Win32/Toggle Application critical enought to remove?

Thread: Unidentified Malware

LinkBack

Thread Tools

Unidentified Malware

Unidentified Malware/HJT Log

Unidentified Malware/Panda Log

Unidentified Malware/Malwarebytes Log

Unidentified Malware/SuperAntiSpyware Log

Unidentified Malware/ESET log

The Following User Says Thank You to DonnaB For This Useful Post: