yahoo email virus

Hello,
There are emails send from my address to all of my contacts.
The subject of the mail is my id.
And the mail contains a link. A different one , each time.

I scaned my laptop, even in safe mod whit the Malwarebytes' Anti-Malware, but nothing was found.

Pls help.

Hello nandixtr and welcome to GeekPolice!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:

• Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  
• Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  
• I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  
• Stick with me till the end! If your computer starts running better, doesn´t mean it is clean yet!

====================

Three possibilities:

1. The spam e-mails were sent from your computer.
   
2. The spam e-mails were sent from your e-mail address. To avoid this, simply change the password of your e-mail address (from a clean computer!)
   
3. The spam e-mails were sent from a random e-mail address and your e-mail address was "spoofed" (i.e. the e-mails APPEAR to come from you, but in reality do not). There is nothing you can do about this, just make sure your personal data is not for grabs on the www.

Together we will verify whether option 1 applies. In the next step we will check your computer for malware.

====================

We are going to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

ok, tnx for halping.
I scaned my laptop, and here is the log:



ComboFix 11-02-28.07 - Nandi 01/03/2011 16:08:23.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3004.1570 [GMT 2:00]
Running from: c:\users\Nandi\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))
.

2011-03-01 14:18 . 2011-03-01 14:18 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-03-01 14:18 . 2011-03-01 14:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-01 09:12 . 2011-03-01 09:12 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2011-03-01 07:47 . 2011-03-01 07:47 -------- d-----w- c:\users\Nandi\AppData\Roaming\Malwarebytes
2011-03-01 07:46 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-01 07:46 . 2011-03-01 07:46 -------- d-----w- c:\programdata\Malwarebytes
2011-03-01 07:46 . 2011-03-01 07:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-01 07:46 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-01 06:57 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{77EB99E8-B35B-4E81-8ABB-B79847B518C5}\mpengine.dll
2011-02-24 10:25 . 2011-02-24 10:25 -------- d-----w- c:\users\Nandi\AppData\Roaming\Avira
2011-02-24 10:23 . 2010-12-13 06:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-24 10:23 . 2010-12-13 06:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-24 10:23 . 2011-02-24 10:23 -------- d-----w- c:\programdata\Avira
2011-02-24 10:23 . 2011-02-24 10:23 -------- d-----w- c:\program files\Avira
2011-02-24 08:53 . 2011-02-24 08:53 -------- d-----w- c:\program files\Common Files\Skype
2011-02-23 13:02 . 2009-12-14 10:44 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
2011-02-23 13:02 . 2009-12-14 10:44 39352 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2011-02-23 13:00 . 2011-02-24 10:09 -------- d-----w- c:\programdata\Kaspersky Lab
2011-02-10 09:13 . 2011-02-10 09:14 -------- d-----w- c:\users\Nandi\AppData\Roaming\DiskAid
2011-02-09 20:37 . 2011-01-20 16:08 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-30 15:45 . 2011-01-30 15:45 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-01-30 15:45 . 2011-01-30 15:45 135568 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 15:11 . 2009-11-08 17:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-28 15:55 . 2011-01-12 09:01 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 15:33 . 2010-12-18 15:33 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2010-12-18 15:33 . 2010-12-18 15:33 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2010-12-14 14:49 . 2011-01-12 09:01 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-28 23:21 . 2009-10-28 23:21 10277728 ----a-w- c:\program files\winamp556_full_emusic-7plus_en-us.exe
2009-10-28 23:06 . 2009-10-28 23:06 2025768 ----a-w- c:\program files\SkypeSetup.exe
2009-10-28 22:58 . 2009-10-28 22:58 445128 ----a-w- c:\program files\msgr9us.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-09-02 12:56 1175944 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]
2009-07-02 08:18 2215960 ----a-w- c:\program files\BS_Player\tbBS_P.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}"= "c:\program files\BS_Player\tbBS_P.dll" [2009-07-02 2215960]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{FED66DC5-1B74-4A04-8F5C-15C5ACE2B9A5}"= "c:\program files\BS_Player\tbBS_P.dll" [2009-07-02 2215960]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-11-04 6174008]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"UpdateP2GShortCut"="c:\program files\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2009-04-23 4097864]
"Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2009-05-04 5064520]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2007-04-11 26704]
"lxdomon.exe"="c:\program files\Lexmark 9500 Series\lxdomon.exe" [2007-09-06 450560]
"lxdoamon"="c:\program files\Lexmark 9500 Series\lxdoamon.exe" [2007-08-10 20480]
"Lexmark 9500 Series Fax Server"="c:\program files\Lexmark 9500 Series\fm3032.exe" [2007-09-18 307200]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-28 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-28 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-28 170520]
"UIExec"="c:\program files\ZTE Join Air\UIExec.exe" [2010-11-01 139088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2008-8-26 752168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Total Commander Pro.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Total Commander Pro.lnk
backup=c:\windows\pss\Total Commander Pro.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 08:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Serviciul Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-11-09 135664]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2008-03-13 24576]
R3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\Lenovo\ReadyComm\AppSvc.exe [2009-05-06 379968]
R3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\Lenovo\ReadyComm\ConnSvc.exe [2009-05-06 412736]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-09-27 9216]
R3 PS_MDP;ReadyComm Presentation Space Helper Service;c:\windows\System32\IgrsSvcs.exe [2008-01-21 21504]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2008-01-10 81192]
S0 Wdkbdmou;Lenovo RMCT KbdMou Service;c:\windows\system32\DRIVERS\Wdkbdmou.sys [2009-03-02 8832]
S1 funfrm;funfrm; [x]
S1 LenovoVCD;LenovoVCD;c:\windows\system32\drivers\LenovoVCD.sys [2009-02-14 16200]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]
S2 IGRS;IGRS;c:\program files\Lenovo\ReadyComm\common\IGRS.exe [2008-02-14 32768]
S2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe [2007-09-20 589824]
S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdoserv.exe [2007-07-17 94208]
S2 ReadyComm.DirectRouter;ReadyComm.DirectRouter;c:\windows\System32\IgrsSvcs.exe [2008-01-21 21504]
S2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [2008-09-27 430080]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-01-14 2250616]
S2 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-08-29 48192]
S2 UI Assistant Service;UI Assistant Service;c:\program files\ZTE Join Air\AssistantServices.exe [2010-11-01 253264]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 21520]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-10-23 223232]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-07-31 29736]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-09-21 112128]
S3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [2009-03-02 8832]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
IgrsSvcs REG_MULTI_SZ ReadyComm.DirectRouter PS_MDP
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2011-03-01 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 08:54]

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-09 17:52]

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-09 17:52]

2011-03-01 c:\windows\Tasks\User_Feed_Synchronization-{3DDA18F2-F17B-4F69-9C6D-D447F12E29B9}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://lenovo.live.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Nandi\AppData\Roaming\Mozilla\Firefox\Profiles\dl97g879.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro/
FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: LoudMo Contextual Ad Assistant: {a5c6f5d7-6464-f4f1-d8dd-75874493fc7e} - c:\program files\Mozilla Firefox\extensions\{a5c6f5d7-6464-f4f1-d8dd-75874493fc7e}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MobileConnect - %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0012\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0013\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1340)
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_rum.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\lxdoserv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\TUProgSt.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Yahoo!\Messenger\YahooMessenger.exe
c:\windows\System32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\Lenovo\Bluetooth Software\BtStackServer.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Windows Defender\MSASCui.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-03-01 16:30:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-01 14:29

Pre-Run: 58,323,124,224 bytes free
Post-Run: 58,155,278,336 bytes free

- - End Of File - - 56F9FE464B6EE65F03AC9D98F6CFCC01

OK, Combofix found an infected system file. Lets see if we can find a clean backup copy.

Please download SystemLook by jpshortstuff from one of the locations below and save it to your desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the following text into the main textfield:

:filefind
userinit.exe

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop (SystemLook.txt)

this is the result:

SystemLook 04.09.10 by jpshortstuff
Log created at 11:12 on 02/03/2011 by Nandi
Administrator - Elevation successful

========== filefind ==========

Searching for "userinit.exe"
C:\Windows\ERDNT\cache\userinit.exe --a---- 25088 bytes [14:28 01/03/2011] [02:24 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9
C:\Windows\System32\userinit.exe --a---- 25088 bytes [02:24 21/01/2008] [02:24 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9
C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe --a---- 25088 bytes [02:24 21/01/2008] [02:24 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9

-= EOF =-

Hey nandixtr, sorry for the wait. I had to discuss this issue with my teachers. Combofix identified that a file was infected, but the Systemlook results say the file is authentic. I never saw that before

Let´s try another test.
Analysis of a suspicious file.

• Please go to the Virustotal website by clicking here
  
• Click the Browse button and in the Name field paste:

  C:\Windows\System32\userinit.exe

  
  
• Click Open and click Send File
  
• If Virustotal informs you that "File has already been analysed", click Reanalyse file now
  
• An analysis report will appear. Copy and paste the url (something like http://www.virustotal.com/analisis/blabla) into your next reply.

hello, the url :

http://www.virustotal.com/file-scan/report.html?id=75eea7e5ae90d857b777361a0166f9a82e354f229fd5250af8738364e6fb45db-1299167405

It is starting to appear that your computer was actually clean, which is all the better. If you want, we can run one final scan with a pretty good scanner (Dr. Web CureIt).

Please download Dr. Web CureIt from here and save it to your desktop.

• Double click drweb-cureit.exe to run the scanner
  
• Click OK when Dr. Web asks if you want to enter "Enhanced Protection Mode" (EPM)
  
• Click OK when prompted about legal terms
  
• Click Start to start the Express Scan, which is a relatively short scan. During the scan you will not be able to use your computer.
  
• If a popup menu appears, asking you to buy the full version, just close that window.
  
• Allow Dr. Web to cure/move whatever infection has been found
  
• Once the short scan has finished, chose the Complete Scan
  
• Select all drives. A red dot shows which drives have been chosen
  
• Click the green arrow to start the complete scan
  
• This scan can take very looooooong. Just allow it ro run
  
• Allow Dr. Web to cure/move whatever infection has been found
  
• When the scan has finished, look and see if you can click the following icon next to the files found:
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  
• Incurable files will be moved to a safe folder (%userprofile%\DoctorWeb\quarantaine-folder)
  
• After selecting, in the Dr.Web CureIt menu on top, click File and choose Save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr. Web CureIt
  
• Reboot your computer so that Dr. Web can finish the cleanup process
  
• Please post the contents of DrWeb.csv in your next reply.

Hello,

I scanned the laptop with the Dr Web scanner, on the Express scan, he didn`t found anything, but on the Complete scan there was 1 deleted infection and 2 or 3 moved files infected.
I try to save the log, but when I click the save report list an error has occurred. A blue screen appeared, and the laptop rebut him self.
After rebutting, a notification appear that the windows has recovered from an unexpected shut down:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 2057

Additional information about the problem:
BCCode: 19
BCP1: 00000021
BCP2: CE338000
BCP3: 0004BAC8
BCP4: 00740078
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini030511-02.dmp
C:\Users\Nandi\AppData\Local\Temp\WER-68983-0.sysdata.xml
C:\Users\Nandi\AppData\Local\Temp\WERA929.tmp.version.txt

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

I scanned the laptop again and the same problem occurred.

What should I do ?

Lets see if Dr.Web left us a log.
Go to Start >> Run and type or copy/paste:

%userprofile%\DoctorWeb

Execute that. It should open a folder. What do you see in that folder? Is it postable? (don´t post a 32 MB log please )

Hello,

A file named CureIt.log .
this file is not really postable 116 MB log

116 MB LOL
I do not want to die of boredom yet, so feel free to delete this log.

We will try another online scanner. Hopefully this one does not crash your computer.

Please make sure you are logged in as a user with administrator rights and proceed with the following steps:

• Use Internet Explorer to browse to the ESET Online Scanner webpage
  
• Click the green ESET Online Scanner button
  
• A popup window will open
  
• Accept the terms of use and click Start
  
• Internet Explorer probably informs you that ESET tries to install an add-on. Allow that.
  
• UNSELECT the Remove all threats option.
  
• Click Start
  
• When the scan has finished and threats were found, click List of found threats
  
• Click Export to text file and save it as e.g. eset.txt on your desktop
  
• Click Back
  
• Select Uninstall application on close
  
• Click Finish. ESET Online Scanner will now uninstall itself
  
• Please post the contents of the eset.txt in your next reply.

Hello,

This is the log:

C:\Users\Nandi\Desktop\memori back up\my doc\Downloads\Sony Sound Forge 9.0.441e-DiGiNSAN.rar a variant of Win32/Keygen.AR application
C:\Users\Nandi\Desktop\memori back up\my doc\Downloads\Sony Sound Forge 9.0.441e-DiGiNSAN\DiGiNSAN.rar a variant of Win32/Keygen.AR application
C:\Users\Nandi\Desktop\memori back up\my doc\Downloads\Sony Sound Forge 9.0.441e-DiGiNSAN\Keygen.exe a variant of Win32/Keygen.AR application

Keygen/crack warning!
There are keygens and/or cracks on your computer. Please be aware that these programs are generally used for illegal purposes. Software piracy is a crime that we at GeekPolice do not recommend or approve (but rest assured that we do not report it either).
Keygens and cracks form a very important distribution network of malware. It might be the reason of your present infection. Even if you use reknown security software, you can never be safe, as you might run into a fresh new variant (a so-called 0-day threat).

Example: Two VirusTotal reports of a keygen, that in reality was a trojan carrying a nasty infection called TDSS.
THIS is the report of the trojan just after release - 0/40 virusscanners detected the deadly load.
THIS is a report of the same file just five days later - 24/40 have updated their signature database to detect it.
If you would repeat the analysis today, it would probably be detected by even more scanners. Tough luck for the users that picked it up early. Make sure you are not among them.

Stay out of trouble: get free software instead! I provide some safe websites where you can pick up free software, often just as good as commercial software.

• Gizmo's Freeware Reviews
  
• CNET Download.com
  
• SourceForge
  
• Open Source Alternatives

OK, your computer appears to be clean.
That means that the spam e-mails were not sent from your computer. Either someone hacked your e-mail account (I assume you have changed your password?) or your e-mail address was spoofed.

Any more questions?

I understand the issue with the keygens and/or cracks and I thank you for the links.

Yes, I changed my password.

Thank you for helping. No more questions. ( for now )

Cool.

You will no longer need Combofix.
Go to Start > Run and type or copy/paste

combofix /uninstall

====================

To close this case, let me provide you with some recommendations:

1) Keep your Windows up-to-date. Windows Autoupdate should be ON (see Start >> Control Panel >> Security Center). An alternative way (but more time-consuming) is to periodically visit http://windowsupdate.microsoft.com. Hackers are looking every day for new security holes. Microsoft keeps patching them. You cannot fall behind in this race, it will make your system vulnerable.

2) For your average daily computer activities, use a limited/standard user account. If you use Vista/WIN7 do not disable User Account Control (UAC). You would be amazed to know how much malware can´t touch you if you deny it admin rights. Create a separate password-protected administrator account that you use for admin activities, like (un)installing software.

3) Use a good antivirus. There are various free ones, you cannot go wrong with either of the following three:

• Panda Cloud Antivirus. If you want your antivirus to be light on resources, I recommend Panda. Install without the toolbar.
  
• Avira. 100 million users can´t be wrong. If you want high detection rates, this is your best free bet.
  
• Avast! is a very complete antivirus, with modules like mailscanner and webshield.

4) If your computer has 1GB system memory or more, you should install a third party firewall, to replace the weak Windows Firewall. I recommend:

• Comodo Firewall. Install the internet security suite, but without the antivirus and without the Hopsurf toolbar.
  
• Online Armor. A very smart and user friendly firewall.
  
• Outpost Firewall is another rocksolid choice.

Note: you should run only ONE antivirus and ONE firewall. Running multiples of either is bad, it will cause slowdowns and/or conflicts.

5) Miscellaneous advice:

• Stay away from cracks and keygens (look here for the why). Get free software instead. Gizmo is an excellent source of freeware reviews.
  
• Navigate safely. Google Chrome is the safest browser available. However, Mozilla Firefox can be made extremely safe with the NoScript addon. Internet Explorer (always use version 8) can be made a lot safer with Spywareblaster (manual here).
  
• The WOT (Webs Of Trust) addon will help you to stay on reliable webpages.
  
• WinPatrol alerts you when changes are made in vital system areas. Especially good on light systems not running a third party firewall.
  
• Make sure you have ways to recuperate your operating system and vital other data if its gets frustrated by malware and/or other problems. A Windows setup CD and recent backups/disk images will be priceless, if you find yourself in an unexpected tight spot.

Finally: did we help you? Help us back!