[Solved] 8 Steps and stuck on step 2

misschievous · Nov 2, 2010

i can't get it to update
still being redirected

it is often the google-analytics site ...

misschievous · Nov 2, 2010

actually ... something seems to have happened ...

iexplorer still opens but it goes to an IP address and "can't display the webpage", the same IP address everytime

but ... I spoke to soon last time LOL

misschievous · Nov 3, 2010

hmm back to valid pages now

crunchie · Nov 3, 2010

That MBA-M log you posted has the same definitions file as the original, but you were able to update it earlier to a much later definitions file. What happened to the updated definitions?
Try the following link for a manual update; http://data.mbamupdates.com/tools/mbam-rules.exe

Are you having to scan in safe mode, or are you just electing to do that?
MBA-M needs to be run in normal mode to be at it's most effective.

misschievous · Nov 4, 2010

it wouldn't run ... so I tried safe mode...

and when MBAM would run again I deleted and downloaded again ...

will update manually

misschievous · Nov 4, 2010

ok ... is that a bad link or am I back to my little friend interferring?

crunchie · Nov 5, 2010

Nasty one this .

Can you delete the version of combofix you have there now and then download another copy and run it as per my first instructions.
The same download link can be used.

misschievous · Nov 6, 2010

PEV.exe stopped running while combofix was running ....

it won't let me open the log ...

it says "Illegal operation attempted on a registry key that has been marked for deletion"

misschievous · Nov 6, 2010

and now it is telling me the same thing when i try to open internet explorer

misschievous · Nov 6, 2010

ok after reboot iexplorere seems to be ok

ComboFix 10-11-07.01 - owner 11/06/2010 16:06:49.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3006.1871 [GMT -5:00]
Running from: c:\users\owner\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-10-06 to 2010-11-06 )))))))))))))))))))))))))))))))
.

2010-11-06 21:27 . 2010-11-06 21:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-04 17:59 . 2010-11-04 17:59 -------- d-----w- c:\program files\ieSpell
2010-11-02 23:50 . 2010-11-02 23:53 -------- d-----w- c:\program files\HomeDepot
2010-11-02 22:23 . 2010-11-06 21:29 -------- d-----w- c:\users\owner\AppData\Local\temp
2010-10-27 11:11 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-27 11:11 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 11:11 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-24 00:00 . 2010-10-24 00:00 -------- d-----w- c:\program files\7-Zip
2010-10-20 16:16 . 2010-10-20 16:16 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-10-20 16:12 . 2010-10-20 16:13 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-10-18 17:48 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-18 17:48 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-18 16:34 . 2010-10-20 16:17 -------- d-----w- c:\program files\Microsoft SQL Server
2010-10-18 16:33 . 2010-10-18 16:33 -------- d-----w- c:\users\owner\AppData\Roaming\EJ innovations
2010-10-18 16:33 . 2010-10-18 16:33 -------- d-----w- c:\users\owner\AppData\Local\EJ_innovations
2010-10-18 16:31 . 2010-10-18 16:31 -------- d-----w- c:\program files\EJ innovations
2010-10-17 03:13 . 2010-10-17 03:13 -------- d-----w- c:\users\owner\AppData\Roaming\Malwarebytes
2010-10-17 01:15 . 2010-10-17 01:15 -------- d-----w- c:\programdata\Malwarebytes
2010-10-16 18:06 . 2010-10-16 18:06 -------- d-----w- c:\users\owner\AppData\Roaming\Avira
2010-10-16 17:59 . 2010-11-04 16:09 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-10-16 17:59 . 2010-11-04 16:09 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-16 17:59 . 2009-05-11 17:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-10-16 17:59 . 2009-05-11 17:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-10-16 17:59 . 2010-10-16 17:59 -------- d-----w- c:\programdata\Avira
2010-10-16 17:59 . 2010-10-16 17:59 -------- d-----w- c:\program files\Avira
2010-10-15 17:59 . 2010-10-15 17:59 -------- d-----w- c:\users\owner\AppData\Local\Radium Technologies
2010-10-15 17:59 . 2010-10-15 17:59 -------- dc-h--w- c:\programdata\{EFBAD1D6-DB32-4E45-ACA1-FB05458C6D20}
2010-10-15 17:59 . 2010-10-15 17:59 -------- d-----w- c:\programdata\Radium Technologies
2010-10-15 17:59 . 2010-10-15 17:59 -------- d-----w- c:\program files\Radium Technologies
2010-10-15 16:01 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D478BCDC-EF6E-40DD-8291-6AB98D016A92}\mpengine.dll
2010-10-14 23:46 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-10-14 23:46 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-14 23:46 . 2010-06-28 17:00 1316864 ----a-w- c:\windows\system32\ole32.dll
2010-10-14 23:46 . 2010-06-28 14:54 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2010-10-14 23:46 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-01 01:47 . 2008-09-19 23:15 6144 ----a-w- c:\windows\system32\drivers\RDPCDD.sys
2010-08-26 16:33 . 2010-10-27 11:11 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33 . 2010-10-27 11:11 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33 . 2010-10-27 11:11 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33 . 2010-10-27 11:11 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-17 14:11 . 2010-09-15 17:56 128000 ----a-w- c:\windows\system32\spoolsv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{19A0F032-27D7-4227-BBB5-51AA9E5904F5}"= "c:\program files\Dogpile Toolbar\Helper.dll" [BU]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2009-10-19 187192]

[HKEY_CLASSES_ROOT\clsid\{19a0f032-27d7-4227-bbb5-51aa9e5904f5}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{4F996865-1782-4614-BAF5-C1365A030352}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399C60D2-38B1-4E25-B9E7-6498C1BC2DCD}]
2009-05-26 15:41 1297920 ----a-w- c:\program files\Dogpile Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2009-10-19 20:15 1345336 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C53FE659-316A-4F56-A194-A5BE491BE866}"= "c:\program files\Dogpile Toolbar\Toolbar.dll" [2009-05-26 1297920]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

[HKEY_CLASSES_ROOT\clsid\{c53fe659-316a-4f56-a194-a5be491be866}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{587A2AD9-5F47-4029-8123-77327768C9F3}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C53FE659-316A-4F56-A194-A5BE491BE866}"= "c:\program files\Dogpile Toolbar\Toolbar.dll" [2009-05-26 1297920]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

[HKEY_CLASSES_ROOT\clsid\{c53fe659-316a-4f56-a194-a5be491be866}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{587A2AD9-5F47-4029-8123-77327768C9F3}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2010-01-04 15:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2010-01-04 15:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"DW6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-19 202256]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Corel Desktop Application Director 8.LNK]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Corel Desktop Application Director 8.LNK
backup=c:\windows\pss\Corel Desktop Application Director 8.LNK.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
backup=c:\windows\pss\Lotus Organizer EasyClip.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Lotus QuickStart.lnk
backup=c:\windows\pss\Lotus QuickStart.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus SmartCenter.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Lotus SmartCenter.lnk
backup=c:\windows\pss\Lotus SmartCenter.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus SuiteStart.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Lotus SuiteStart.lnk
backup=c:\windows\pss\Lotus SuiteStart.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^MozyHome Status.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MozyHome Status.lnk
backup=c:\windows\pss\MozyHome Status.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-10 13:47 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMUpdate]
2001-07-03 18:12 176128 ----a-w- c:\windows\System32\BMUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\enaexpjm]
c:\users\owner\AppData\Local\mtyeblktr\umswbxluqiw.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2007-07-16 16:54 311984 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-06-16 13:03 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 02:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-10-01 23:10 1783136 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-06-02 07:55 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-09-13 15:47 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-10 14:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdglwenb]
c:\users\owner\AppData\Local\Temp\ratrreivj\xcrhmosyhsn.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KOO9RV9K4Z]
c:\users\owner\AppData\Local\Temp\Ftx.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-08-24 01:36 455968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdiamon]
2007-07-16 16:54 25264 ----a-w- c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdimon.exe]
2007-07-16 16:54 434864 ----a-w- c:\program files\Lexmark 3500-4500 Series\lxdimon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-10-17 01:57 4347120 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
~c:\program files\Windows Live\Messenger\msnmsgr.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-12-04 07:42 13556256 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-12-04 07:42 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2008-12-04 07:42 711200 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
2007-09-04 21:54 554320 ----a-w- c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-19 22:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-05-30 19:54 21718312 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMH2B46TDP]
c:\users\owner\AppData\Local\Temp\Ft0.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
2010-02-24 18:53 111928 ----a-r- c:\program files\SweetIM\Messenger\SweetIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-19 16:57 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-08-17 07:13 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
c:\program files\uniblue\registrybooster\StartRegistryBooster.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\urdppohx]
c:\users\owner\AppData\Local\iupebtkcs\udujrequqiw.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2007-01-08 22:53 311296 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 136176]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-04 135336]
S2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe [2007-06-11 517040]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-06-11 99248]
S2 MSSQL$CHEF;SQL Server (CHEF);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 01:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 01:52]

2010-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 01:52]

2010-10-28 c:\windows\Tasks\HPCeeScheduleForowner.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-10-23 18:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.groups.yahoo.com/group/credit-repair/
mStart Page = hxxp://home.sweetim.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:29775
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-06 16:28
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4508)
c:\program files\MozyHome\mozyshell.dll
.
Completion time: 2010-11-06 16:51:46
ComboFix-quarantined-files.txt 2010-11-06 21:51
ComboFix2.txt 2010-11-02 22:40
ComboFix3.txt 2010-10-21 22:09

Pre-Run: 106,302,910,464 bytes free
Post-Run: 106,276,536,320 bytes free

- - End Of File - - 1BAE64BC1E7F0EE6EE0D235FFB29D862

crunchie · Nov 6, 2010

1. Please open Notepad

Click Start , then Run

Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
KillAll::

File::
c:\users\owner\AppData\Local\Temp\Ftx.exe
c:\users\owner\AppData\Local\Temp\Ft0.exe

Folder::
c:\users\owner\AppData\Local\mtyeblktr
c:\users\owner\AppData\Local\Temp\ratrreivj
c:\users\owner\AppData\Local\iupebtkcs


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\enaexpjm]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdglwenb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KOO9RV9K4Z]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMH2B46TDP]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\urdppohx]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

==========

Let me know how things are now please.

misschievous · Nov 11, 2010

ComboFix 10-11-07.01 - owner 11/11/2010 18:51:11.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3006.1966 [GMT -6:00]
Running from: C:\Users\owner\Desktop\ComboFix.exe
Command switches used :: C:\Users\owner\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\owner\AppData\Local\Temp\Ft0.exe"
"c:\users\owner\AppData\Local\Temp\Ftx.exe"
.

((((((((((((((((((((((((( Files Created from 2010-10-12 to 2010-11-12 )))))))))))))))))))))))))))))))
.

2010-11-12 01:08:07 . 2010-11-12 01:12:50 -------- d-----w- C:\Users\owner\AppData\Local\temp
2010-11-12 01:08:07 . 2010-11-12 01:08:07 -------- d-----w- C:\Users\Default\AppData\Local\temp
2010-11-10 18:47:16 . 2010-10-07 11:37:35 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2010-11-04 17:59:17 . 2010-11-04 17:59:20 -------- d-----w- C:\Program Files\ieSpell
2010-11-02 23:50:31 . 2010-11-02 23:53:39 -------- d-----w- C:\Program Files\HomeDepot
2010-10-27 11:11:24 . 2010-08-26 16:34:50 1696256 ----a-w- C:\Windows\system32\gameux.dll
2010-10-27 11:11:22 . 2010-08-26 16:33:12 28672 ----a-w- C:\Windows\system32\Apphlpdm.dll
2010-10-27 11:11:22 . 2010-08-26 14:23:58 4240384 ----a-w- C:\Windows\system32\GameUXLegacyGDFs.dll
2010-10-24 00:00:55 . 2010-10-24 00:00:56 -------- d-----w- C:\Program Files\7-Zip
2010-10-20 16:16:50 . 2010-10-20 16:16:52 -------- d-----w- C:\Windows\SQLTools9_KB970892_ENU
2010-10-20 16:12:57 . 2010-10-20 16:13:00 -------- d-----w- C:\Windows\SQL9_KB970892_ENU
2010-10-18 17:48:15 . 2010-04-29 20:39:38 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2010-10-18 17:48:02 . 2010-04-29 20:39:26 20952 ----a-w- C:\Windows\system32\drivers\mbam.sys
2010-10-18 16:34:32 . 2010-10-20 16:17:14 -------- d-----w- C:\Program Files\Microsoft SQL Server
2010-10-18 16:33:25 . 2010-10-18 16:33:25 -------- d-----w- C:\Users\owner\AppData\Roaming\EJ innovations
2010-10-18 16:33:22 . 2010-10-18 16:33:22 -------- d-----w- C:\Users\owner\AppData\Local\EJ_innovations
2010-10-18 16:31:23 . 2010-10-18 16:31:23 -------- d-----w- C:\Program Files\EJ innovations
2010-10-17 03:13:59 . 2010-10-17 03:13:59 -------- d-----w- C:\Users\owner\AppData\Roaming\Malwarebytes
2010-10-17 01:15:30 . 2010-10-17 01:15:31 -------- d-----w- C:\ProgramData\Malwarebytes
2010-10-16 18:06:48 . 2010-10-16 18:06:48 -------- d-----w- C:\Users\owner\AppData\Roaming\Avira
2010-10-16 17:59:48 . 2010-11-04 16:09:59 60936 ----a-w- C:\Windows\system32\drivers\avgntflt.sys
2010-10-16 17:59:48 . 2010-11-04 16:09:59 126856 ----a-w- C:\Windows\system32\drivers\avipbb.sys
2010-10-16 17:59:48 . 2009-05-11 17:49:28 51992 ----a-w- C:\Windows\system32\drivers\avgntdd.sys
2010-10-16 17:59:48 . 2009-05-11 17:49:28 17016 ----a-w- C:\Windows\system32\drivers\avgntmgr.sys
2010-10-16 17:59:46 . 2010-10-16 17:59:46 -------- d-----w- C:\ProgramData\Avira
2010-10-16 17:59:46 . 2010-10-16 17:59:46 -------- d-----w- C:\Program Files\Avira
2010-10-15 17:59:42 . 2010-10-15 17:59:42 -------- d-----w- C:\Users\owner\AppData\Local\Radium Technologies
2010-10-15 17:59:25 . 2010-10-15 17:59:25 -------- dc-h--w- C:\ProgramData\{EFBAD1D6-DB32-4E45-ACA1-FB05458C6D20}
2010-10-15 17:59:11 . 2010-10-15 17:59:11 -------- d-----w- C:\ProgramData\Radium Technologies
2010-10-15 17:59:11 . 2010-10-15 17:59:11 -------- d-----w- C:\Program Files\Radium Technologies
2010-10-15 16:01:13 . 2010-09-09 22:52:57 6084944 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D478BCDC-EF6E-40DD-8291-6AB98D016A92}\mpengine.dll
2010-10-14 23:46:23 . 2010-09-13 13:56:02 168960 ----a-w- C:\Program Files\Windows Media Player\wmplayer.exe
2010-10-14 23:46:22 . 2010-09-13 13:56:41 8147456 ----a-w- C:\Windows\system32\wmploc.DLL
2010-10-14 23:46:06 . 2010-06-28 17:00:21 1316864 ----a-w- C:\Windows\system32\ole32.dll
2010-10-14 23:46:06 . 2010-06-28 14:54:38 339968 ----a-w- C:\Program Files\Windows NT\Accessories\wordpad.exe
2010-10-14 23:46:02 . 2010-08-10 15:53:15 274944 ----a-w- C:\Windows\system32\schannel.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-01 01:47:23 . 2008-09-19 23:15:55 6144 ----a-w- C:\Windows\system32\drivers\RDPCDD.sys
2010-08-26 16:33:06 . 2010-10-27 11:11:22 173056 ----a-w- C:\Windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 . 2010-10-27 11:11:23 542720 ----a-w- C:\Windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 . 2010-10-27 11:11:23 458752 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 . 2010-10-27 11:11:23 2159616 ----a-w- C:\Windows\apppatch\AcGenral.dll
2010-08-17 14:11:37 . 2010-09-15 17:56:34 128000 ----a-w- C:\Windows\system32\spoolsv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{19A0F032-27D7-4227-BBB5-51AA9E5904F5}"= "C:\Program Files\Dogpile Toolbar\Helper.dll" [BU]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2009-10-19 20:15:06 187192]

[HKEY_CLASSES_ROOT\clsid\{19a0f032-27d7-4227-bbb5-51aa9e5904f5}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{4F996865-1782-4614-BAF5-C1365A030352}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399C60D2-38B1-4E25-B9E7-6498C1BC2DCD}]
2009-05-26 15:41:44 1297920 ----a-w- C:\Program Files\Dogpile Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2009-10-19 20:15:04 1345336 ----a-w- C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C53FE659-316A-4F56-A194-A5BE491BE866}"= "C:\Program Files\Dogpile Toolbar\Toolbar.dll" [2009-05-26 15:41:44 1297920]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 20:15:04 1345336]

[HKEY_CLASSES_ROOT\clsid\{c53fe659-316a-4f56-a194-a5be491be866}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{587A2AD9-5F47-4029-8123-77327768C9F3}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C53FE659-316A-4F56-A194-A5BE491BE866}"= "C:\Program Files\Dogpile Toolbar\Toolbar.dll" [2009-05-26 15:41:44 1297920]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 20:15:04 1345336]

[HKEY_CLASSES_ROOT\clsid\{c53fe659-316a-4f56-a194-a5be491be866}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{587A2AD9-5F47-4029-8123-77327768C9F3}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2010-01-04 15:36:28 2848568 ----a-w- C:\Program Files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2010-01-04 15:36:28 2848568 ----a-w- C:\Program Files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 07:33:09 125952]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2009-04-11 06:28:03 1233920]
"DW6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 08:29:10 102400]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 02:17:32 49152]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-12-04 07:42:00 13556256]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-12-04 07:42:00 92704]
"Microsoft Default Manager"="C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 17:05:02 233304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2010-03-19 16:57:21 202256]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 16:09:57 281768]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Corel Desktop Application Director 8.LNK]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Corel Desktop Application Director 8.LNK
backup=C:\Windows\pss\Corel Desktop Application Director 8.LNK.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
backup=C:\Windows\pss\Lotus Organizer EasyClip.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Lotus QuickStart.lnk
backup=C:\Windows\pss\Lotus QuickStart.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus SmartCenter.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Lotus SmartCenter.lnk
backup=C:\Windows\pss\Lotus SmartCenter.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Lotus SuiteStart.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Lotus SuiteStart.lnk
backup=C:\Windows\pss\Lotus SuiteStart.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\Windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^MozyHome Status.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MozyHome Status.lnk
backup=C:\Windows\pss\MozyHome Status.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=C:\Windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\Windows\pss\IMVU.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10:28 35696 ----a-w- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-10 13:47:28 116040 ----a-w- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMUpdate]
2001-07-03 18:12:36 176128 ----a-w- C:\Windows\System32\BMUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2007-07-16 16:54:05 311984 ----a-w- C:\Program Files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-06-16 13:03:20 75008 ----a-w- c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 02:17:32 49152 ----a-w- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-10-01 23:10:48 1783136 ----a-w- C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-06-02 07:55:22 80896 ----a-w- C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-09-13 15:47:52 480560 ----a-w- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-10 14:51:32 289064 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-08-24 01:36:30 455968 ----a-w- C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdiamon]
2007-07-16 16:54:10 25264 ----a-w- C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdimon.exe]
2007-07-16 16:54:07 434864 ----a-w- C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-10-17 01:57:52 4347120 ----a-w- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
~C:\Program Files\Windows Live\Messenger\msnmsgr.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-12-04 07:42:00 13556256 ----a-w- C:\Windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-12-04 07:42:00 92704 ----a-w- C:\Windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2008-12-04 07:42:00 711200 ----a-w- C:\Windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
2007-09-04 21:54:20 554320 ----a-w- C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-19 22:31:34 202032 ----a-w- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34:14 181544 ----a-w- C:\Program Files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 14:50:30 413696 ----a-w- C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-05-30 19:54:14 21718312 ----a-r- C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMH2B46TDP]
C:\Users\owner\AppData\Local\Temp\Ft0.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23:12 149280 ----a-w- C:\Program Files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
2010-02-24 18:53:10 111928 ----a-r- C:\Program Files\SweetIM\Messenger\SweetIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-19 16:57:21 202256 ----a-w- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-08-17 07:13:28 218408 ------w- C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
c:\program files\uniblue\registrybooster\StartRegistryBooster.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2007-01-08 22:53:06 311296 ----a-w- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38:38 1008184 ----a-w- C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 18:16:28 130384]
R2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [2010-10-03 01:52:57 136176]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 18:16:28 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 06:14:59 16896]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [2010-11-04 16:09:59 135336]
S2 lxdi_device;lxdi_device;C:\Windows\system32\lxdicoms.exe [2007-06-11 14:14:51 517040]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-06-11 14:14:42 99248]
S2 MSSQL$CHEF;SQL Server (CHEF);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 08:27:04 29262680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 01:34:48 451872 ----a-w- C:\Program Files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-12 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-10-03 01:53:23 . 2010-10-03 01:52:57]

2010-11-12 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-10-03 01:53:23 . 2010-10-03 01:52:57]

2010-10-28 C:\Windows\Tasks\HPCeeScheduleForowner.job
- C:\Program Files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-10-23 05:54:39 . 2007-09-28 18:58:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.groups.yahoo.com/group/credit-repair/
mStart Page = hxxp://home.sweetim.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:29775
IE: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
.

misschievous · Nov 11, 2010

still being redirected ... through ... r3.google.....

crunchie · Nov 12, 2010

Go to Start > Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"

Turn the computer off.

On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
Restart computer and check for redirections.

NOTE. You may need to re-check your router security settings, as described HERE

===========

Check to see if the re-directs still exist.

misschievous · Nov 12, 2010

ok .... looks good.

I'm betting I should have mentioned the r3.google thing a week or more ago? sorry about that.

crunchie · Nov 12, 2010

Maybe, but it is all a matter of steps until we get to the right floor .

Give it a day or say and let me know if it is still good.

misschievous · Nov 15, 2010

everything is still good .... thanks!!!

now ... what (of the programs from here) programs should I keep around and which should i delete?

and just for my info ... let me see if i have it right... this POS changed my dns servers to thier own ... so 3 out of 4 times I would be redirected via the dns server to their garbage?

crunchie · Nov 16, 2010

Definitely keep MBA-M and the rest can be re-downloaded if needed again as they are regularly updated.
Slippery little suckers these days, aren't they .

============

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC by OldTimer:
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

TechSpot

[Solved] 8 Steps and stuck on step 2

misschievous Newcomer, in training

misschievous Newcomer, in training

misschievous Newcomer, in training

crunchie Malware Helper

misschievous Newcomer, in training

misschievous Newcomer, in training

crunchie Malware Helper

misschievous Newcomer, in training

misschievous Newcomer, in training

misschievous Newcomer, in training

crunchie Malware Helper

misschievous Newcomer, in training

misschievous Newcomer, in training

crunchie Malware Helper

misschievous Newcomer, in training

crunchie Malware Helper

misschievous Newcomer, in training

crunchie Malware Helper