TechSpot

Browser redirects from Google searches

By Dzapper
Dec 4, 2011
  1. System had a fake system integrity malware a few days ago got rid of it but now we have search results being redirected to junk web sites. Have had more malware and trojans pop up since I got rid of the fake system check but things look clean now except for the redirects. I could not get any logs from GMER as they were all empty but it did pop up an exception before when I ran it (Load Driver C:../../kxtdipog.sys error 0XC000010E cannot create a stable subkey under a volatile parent key) Here are my mbytes and dds logs:

    Malwarebytes log:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8302

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/4/2011 04:01:47
    mbam-log-2011-12-04 (04-01-47).txt

    Scan type: Quick scan
    Objects scanned: 193424
    Time elapsed: 1 minute(s), 44 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)


    DDS:

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Run by HALO at 5:01:16 on 2011-12-04
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3581.2774 [GMT 0:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    svchost.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
    Trusted Zone: watchitmove.com
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {C9101148-151A-470D-9CE5-C163C0361EAE} - hxxp://www.ipromote.com/assets/media/toolbars/ipromote_toolbar.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: Interfaces\{11A44DF7-6A7D-4168-8DFF-573DB7F8E5EE} : NameServer = 204.117.214.10,199.2.252.10
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    LSA: Authentication Packages = msv1_0 wvauth
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\halo\application data\mozilla\firefox\profiles\akgs7kj7.default\
    FF - plugin: c:\documents and settings\halo\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2010-7-30 24064]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
    R1 MpKsld7b1541a;MpKsld7b1541a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{28565789-cd0f-43f0-8336-8bca58bd244b}\mpksld7b1541a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{28565789-cd0f-43f0-8336-8bca58bd244b}\MpKsld7b1541a.sys [?]
    R1 MpKsle55d2bba;MpKsle55d2bba;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{497950ba-2160-437f-8423-6478ff7dfbb5}\MpKsle55d2bba.sys [2011-12-4 29904]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2010-2-8 376688]
    S1 MpKslcb6bd7e8;MpKslcb6bd7e8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be63d181-a450-415e-8e78-281938d2850b}\mpkslcb6bd7e8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be63d181-a450-415e-8e78-281938d2850b}\MpKslcb6bd7e8.sys [?]
    S2 BackupService;BackupService;c:\documents and settings\halo\application data\hp simplesave application\uUACTokenSvc.exe [2011-7-3 83512]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-30 136176]
    S3 ATMEPVCM;Microsoft Ethernet PVC;c:\windows\system32\drivers\atmepvc.sys [2008-4-25 31360]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-30 136176]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
    S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\safe returner\regkernelhelp.sys --> c:\program files\safe returner\RegKernelHelp.sys [?]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-12-04 04:33:32 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{497950ba-2160-437f-8423-6478ff7dfbb5}\MpKsle55d2bba.sys
    2011-12-04 04:33:29 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{497950ba-2160-437f-8423-6478ff7dfbb5}\offreg.dll
    2011-12-04 04:33:28 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{497950ba-2160-437f-8423-6478ff7dfbb5}\mpengine.dll
    2011-12-03 23:32:04 -------- d-----w- C:\ComboFix
    2011-12-03 04:29:00 -------- d-sha-r- C:\cmdcons
    2011-12-03 04:20:11 98816 ----a-w- c:\windows\sed.exe
    2011-12-03 04:20:11 518144 ----a-w- c:\windows\SWREG.exe
    2011-12-03 04:20:11 256000 ----a-w- c:\windows\PEV.exe
    2011-12-03 04:20:11 208896 ----a-w- c:\windows\MBR.exe
    2011-12-03 01:42:51 -------- d-----w- c:\program files\ESET
    2011-12-01 13:16:46 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2011-11-30 06:49:17 -------- d-----w- c:\documents and settings\halo\application data\QuickScan
    2011-11-29 19:59:08 -------- d-----w- c:\program files\Microsoft Security Client
    2011-11-28 20:43:26 187776 -c--a-w- c:\windows\system32\dllcache\acpi.sys
    2011-11-28 20:43:26 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    2011-11-28 20:42:29 -------- d--h--w- c:\documents and settings\halo\application data\892F1515
    .
    ==================== Find3M ====================
    .
    2011-11-10 03:33:01 256104 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2011-11-10 03:33:01 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2011-11-03 16:23:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-13 03:37:14 256104 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 11:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 11:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 11:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-10 04:47:20 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
    2011-09-06 13:25:11 1867904 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 5:07:15.15 ===============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/29/2010 19:44:50
    System Uptime: 12/3/2011 22:17:57 (7 hours ago)
    .
    Motherboard: Dell Inc. | | 0D883F
    Processor: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz | CPU1 | 1995/4800mhz
    Processor: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz | CPU1 | 1995/4800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 466 GiB total, 432.301 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco Systems VPN Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter
    PNP Device ID: ROOT\NET\0000
    Service: CVirtA
    .
    ==== System Restore Points ===================
    .
    RP271: 9/5/2011 02:15:58 - System Checkpoint
    RP272: 9/6/2011 03:16:35 - System Checkpoint
    RP273: 9/7/2011 03:18:45 - System Checkpoint
    RP274: 9/8/2011 05:48:20 - System Checkpoint
    RP275: 9/9/2011 06:11:28 - System Checkpoint
    RP276: 9/10/2011 06:55:52 - System Checkpoint
    RP277: 9/11/2011 03:00:21 - Software Distribution Service 3.0
    RP278: 9/12/2011 03:00:14 - Software Distribution Service 3.0
    RP279: 9/13/2011 03:37:56 - System Checkpoint
    RP280: 9/14/2011 03:00:30 - Software Distribution Service 3.0
    RP281: 9/15/2011 03:24:52 - System Checkpoint
    RP282: 9/16/2011 05:36:49 - System Checkpoint
    RP283: 9/17/2011 06:28:04 - System Checkpoint
    RP284: 9/18/2011 08:12:29 - System Checkpoint
    RP285: 9/19/2011 10:35:07 - System Checkpoint
    RP286: 9/20/2011 10:48:13 - System Checkpoint
    RP287: 9/21/2011 11:24:54 - System Checkpoint
    RP288: 9/22/2011 11:36:54 - System Checkpoint
    RP289: 9/23/2011 12:15:38 - System Checkpoint
    RP290: 9/24/2011 15:56:02 - System Checkpoint
    RP291: 9/25/2011 17:21:28 - System Checkpoint
    RP292: 9/26/2011 22:01:59 - System Checkpoint
    RP293: 9/27/2011 22:21:45 - System Checkpoint
    RP294: 9/28/2011 03:00:13 - Software Distribution Service 3.0
    RP295: 9/29/2011 14:42:03 - System Checkpoint
    RP296: 9/30/2011 15:36:33 - System Checkpoint
    RP297: 10/1/2011 18:26:17 - System Checkpoint
    RP298: 10/3/2011 13:34:52 - System Checkpoint
    RP299: 10/4/2011 14:06:55 - System Checkpoint
    RP300: 10/5/2011 16:03:05 - System Checkpoint
    RP301: 10/6/2011 21:54:50 - System Checkpoint
    RP302: 10/7/2011 22:09:59 - System Checkpoint
    RP303: 10/8/2011 23:05:04 - System Checkpoint
    RP304: 10/9/2011 23:06:05 - System Checkpoint
    RP305: 10/11/2011 00:03:54 - System Checkpoint
    RP306: 10/12/2011 00:04:06 - System Checkpoint
    RP307: 10/13/2011 00:08:37 - System Checkpoint
    RP308: 10/13/2011 03:00:14 - Software Distribution Service 3.0
    RP309: 10/14/2011 04:55:23 - System Checkpoint
    RP310: 10/15/2011 03:00:13 - Software Distribution Service 3.0
    RP311: 10/16/2011 03:34:30 - System Checkpoint
    RP312: 10/17/2011 05:28:40 - System Checkpoint
    RP313: 10/18/2011 05:36:10 - System Checkpoint
    RP314: 10/19/2011 06:16:43 - System Checkpoint
    RP315: 10/20/2011 07:28:42 - System Checkpoint
    RP316: 10/21/2011 13:51:58 - System Checkpoint
    RP317: 10/22/2011 14:17:45 - System Checkpoint
    RP318: 10/23/2011 17:20:17 - System Checkpoint
    RP319: 10/24/2011 20:19:19 - System Checkpoint
    RP320: 10/25/2011 21:38:18 - System Checkpoint
    RP321: 10/26/2011 21:51:29 - System Checkpoint
    RP322: 10/28/2011 00:22:42 - System Checkpoint
    RP323: 10/29/2011 00:32:09 - System Checkpoint
    RP324: 10/30/2011 01:42:21 - System Checkpoint
    RP325: 10/31/2011 02:24:58 - System Checkpoint
    RP326: 11/1/2011 03:19:44 - System Checkpoint
    RP327: 11/2/2011 04:17:46 - System Checkpoint
    RP328: 11/3/2011 06:14:58 - System Checkpoint
    RP329: 11/4/2011 06:24:32 - System Checkpoint
    RP330: 11/5/2011 06:27:07 - System Checkpoint
    RP331: 11/6/2011 10:13:26 - System Checkpoint
    RP332: 11/7/2011 11:21:28 - System Checkpoint
    RP333: 11/8/2011 11:44:52 - System Checkpoint
    RP334: 11/9/2011 03:00:13 - Software Distribution Service 3.0
    RP335: 11/10/2011 05:33:33 - System Checkpoint
    RP336: 11/11/2011 07:11:43 - System Checkpoint
    RP337: 11/12/2011 03:00:14 - Software Distribution Service 3.0
    RP338: 11/13/2011 03:07:03 - System Checkpoint
    RP339: 11/14/2011 04:38:06 - System Checkpoint
    RP340: 11/15/2011 05:47:54 - System Checkpoint
    RP341: 11/16/2011 07:43:54 - System Checkpoint
    RP342: 11/17/2011 08:19:16 - System Checkpoint
    RP343: 11/18/2011 09:35:12 - System Checkpoint
    RP344: 11/19/2011 10:19:31 - System Checkpoint
    RP345: 11/20/2011 11:10:12 - System Checkpoint
    RP346: 11/21/2011 12:09:29 - System Checkpoint
    RP347: 11/22/2011 13:47:04 - System Checkpoint
    RP348: 11/23/2011 14:49:18 - System Checkpoint
    RP349: 11/24/2011 15:11:17 - System Checkpoint
    RP350: 11/25/2011 15:44:49 - System Checkpoint
    RP351: 11/26/2011 16:22:17 - System Checkpoint
    RP352: 11/27/2011 18:02:49 - System Checkpoint
    RP353: 11/28/2011 19:49:23 - System Checkpoint
    RP354: 11/29/2011 17:59:56 - Removed Ad-Aware
    RP355: 11/29/2011 19:55:53 - Removed Symantec AntiVirus
    RP356: 11/29/2011 20:00:22 - Software Distribution Service 3.0
    RP357: 12/1/2011 06:26:09 - System Checkpoint
    RP358: 12/1/2011 13:16:12 - Software Distribution Service 3.0
    RP359: 12/2/2011 13:34:26 - System Checkpoint
    RP360: 12/2/2011 16:32:42 - Software Distribution Service 3.0
    RP361: 12/3/2011 06:37:37 - Software Distribution Service 3.0
    RP362: 12/4/2011 01:59:19 - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.4.2
    Apple Application Support
    Apple Software Update
    AutoFind 6 Common
    Autofind 6 Crystal Reports Runtime
    BioAPI Framework
    Broadcom NetXtreme-I Netlink Driver and Management Installer
    Cisco Systems VPN Client 5.0.04.0300
    DCP32MMWrapper
    Dell Control Point
    Dell ControlPoint Security Manager
    Dell ControlPoint System Manager
    Dell Embassy Trust Suite by Wave Systems
    Dell Security Device Driver Pack
    Document Manager Lite
    EMBASSY Security Center
    EMBASSY Security Setup
    ESC Home Page Plugin
    ESET Online Scanner v3
    Gemalto
    Google Chrome
    Google Earth
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB954708)
    Intel® Matrix Storage Manager
    InterActual Player
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 24
    Map AGenT Pro
    MapInfo MapX 4.0 OCX
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Milestone XProtect Smart Client 5.0d
    Mozilla Firefox 8.0.1 (x86 en-US)
    MSN
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP3 Parser (KB973685)
    MSXML 6.0 Parser (KB927977)
    NTRU TCG Software Stack
    NVIDIA Control Panel 267.17
    NVIDIA Graphics Driver 267.17
    NVIDIA Install Application
    NVIDIA nView 135.64
    NVIDIA nView Desktop Manager
    OGA Notifier 2.0.0048.0
    PowerDVD DX
    Preboot Manager
    Private Information Manager
    QuickTime
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE 10.3
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553074)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2553073)
    Security Update for Microsoft Office Groove 2007 (KB2552997)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2483614)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Security Wizards
    SO32MMWrapper
    SoundMAX
    Trusted Drive Manager
    Tweak UI
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Microsoft Windows (KB971513)
    Update for Outlook 2007 Junk Email Filter (KB2596560)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB971029)
    UPEK TouchChip Fingerprint Reader
    VideoLAN VLC media player 0.8.6f
    Wave Infrastructure Installer
    Wave Support Software
    WebFldrs XP
    Windows Driver Package - Dell Inc. PBADRV System (09/11/2009 1.0.1.6)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Rights Management Client Backwards Compatibility SP2
    Windows Rights Management Client with Service Pack 2
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/3/2011 05:18:14, error: PlugPlayManager [11] - The device Root\LEGACY_NPF\0000 disappeared from the system without first being prepared for removal.
    12/3/2011 04:17:23, error: Service Control Manager [7034] - The BackupService service terminated unexpectedly. It has done this 1 time(s).
    12/1/2011 16:27:17, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    12/1/2011 15:18:15, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    12/1/2011 14:04:12, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).
    12/1/2011 14:01:10, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/1/2011 13:58:09, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/1/2011 06:10:44, error: Service Control Manager [7034] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 2 time(s).
    12/1/2011 05:59:31, error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    11/29/2011 15:48:35, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    11/29/2011 05:15:14, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm SAVRT SAVRTPEL SYMTDI
    11/29/2011 05:13:22, error: NetBT [4311] - Initialization failed because the driver device could not be created.
    11/29/2011 04:54:55, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/29/2011 04:31:37, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT SAVRTPEL SYMTDI Tcpip
    11/29/2011 04:31:37, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    11/29/2011 04:31:37, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/29/2011 04:31:37, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/29/2011 04:31:37, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    11/29/2011 03:00:51, error: System Error [1003] - Error code 10000050, parameter1 ad379000, parameter2 00000000, parameter3 80509973, parameter4 00000000.
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot. I'll help with the malware.

    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    It appears that you have some left-over scanning programs. Although I will have you do the scans, I'd like you to uninstall Combofix and Eset and reload from my link.

    Question: Tell me about the use of the following:
    1. uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
    2. Trusted Zone: watchitmove.com
    3. Microsoft Internationalized Domain Names Mitigation APIs
    ===============================
    Please update Java: Java Updates . After the update, uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
    ===============================
    There will be malware in the Java cache due to the outdated programs so it must be cleared:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =======================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  3. Dzapper

    Dzapper TS Rookie Topic Starter

    Redirect looks to be gone

    Regarding your three questions I have no idea about the uInternet Connection entry though it is installed no one uses Outlook on this computer. The watchitmove.com is where I "The Man" oppress the masses ;-) in other words that's supposed to be there. The Microsoft Internationalized Domain Names Mitigation APIs looks to me to be a valid Microsoft update unless you know something more about it.

    ESET scan found no threats and did not produce a log.

    Combofix log:


    ComboFix 11-12-04.04 - HALO 12/05/2011 0:00.3.8 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3581.3019 [GMT 0:00]
    Running from: c:\documents and settings\HALO\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-05 to 2011-12-05 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-04 06:06 . 2011-12-04 06:06 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89C8AD8D-3FA1-45DA-8CEE-FB76F19B8211}\MpKslf0b64766.sys
    2011-12-04 06:05 . 2011-12-04 06:05 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89C8AD8D-3FA1-45DA-8CEE-FB76F19B8211}\offreg.dll
    2011-12-04 06:05 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89C8AD8D-3FA1-45DA-8CEE-FB76F19B8211}\mpengine.dll
    2011-12-03 01:42 . 2011-12-03 01:42 -------- d-----w- c:\program files\ESET
    2011-12-01 13:16 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-11-30 06:49 . 2011-12-04 00:38 -------- d-----w- c:\documents and settings\HALO\Application Data\QuickScan
    2011-11-29 19:59 . 2011-11-29 19:59 -------- d-----w- c:\program files\Microsoft Security Client
    2011-11-28 20:53 . 2011-11-28 20:53 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
    2011-11-28 20:43 . 2008-04-14 00:06 187776 -c--a-w- c:\windows\system32\dllcache\acpi.sys
    2011-11-28 20:43 . 2008-04-14 00:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    2011-11-28 20:42 . 2011-11-28 20:44 -------- d--h--w- c:\documents and settings\HALO\Application Data\892F1515
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-04 06:05 . 2011-04-11 16:21 0 ----a-w- c:\documents and settings\HALO\Local Settings\Application Data\WavXMapDrive.bat
    2011-11-28 20:50 . 2011-08-01 18:37 0 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\WavXMapDrive.bat
    2011-11-03 16:23 . 2011-06-24 14:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-10-03 05:06 . 2010-07-30 04:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-03 02:37 . 2011-03-07 13:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-28 07:06 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 11:41 . 2008-07-30 07:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 11:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 11:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-10 04:47 . 2011-09-10 04:47 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
    2011-09-06 13:25 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys
    2011-11-21 04:04 . 2011-09-01 00:45 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-03_05.22.31 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-12-04 23:21 . 2011-12-04 23:21 16384 c:\windows\Temp\Perflib_Perfdata_690.dat
    + 2008-04-25 16:16 . 2011-12-04 06:09 718388 c:\windows\system32\perfh009.dat
    + 2008-04-25 16:16 . 2011-12-04 06:09 172834 c:\windows\system32\perfc009.dat
    + 2011-12-04 23:21 . 2011-10-03 05:06 157472 c:\windows\system32\javaws.exe
    - 2011-03-07 14:13 . 2011-02-02 21:40 157472 c:\windows\system32\javaws.exe
    + 2011-12-04 23:21 . 2011-10-03 05:06 145184 c:\windows\system32\javaw.exe
    - 2011-03-07 14:13 . 2011-02-02 21:40 145184 c:\windows\system32\javaw.exe
    - 2011-03-07 14:13 . 2011-03-07 13:58 145184 c:\windows\system32\java.exe
    + 2011-12-04 23:21 . 2011-10-03 05:06 145184 c:\windows\system32\java.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-04-14 159616]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-01-08 1044480]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-01-26 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-17 13879912]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2011-3-7 6144]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell ControlPoint System Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk
    backup=c:\windows\pss\Dell ControlPoint System Manager.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TdmNotify.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TdmNotify.lnk
    backup=c:\windows\pss\TdmNotify.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-20 23:07 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 17:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2011-02-17 14:18 13879912 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2011-02-17 14:18 111208 ----a-w- c:\windows\system32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
    2009-12-29 21:35 140520 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2010-01-08 14:13 1044480 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-10-29 14:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [7/30/2010 07:14 24064]
    R1 MpKslf0b64766;MpKslf0b64766;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89C8AD8D-3FA1-45DA-8CEE-FB76F19B8211}\MpKslf0b64766.sys [12/4/2011 06:06 29904]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/8/2010 21:20 376688]
    S1 MpKslcb6bd7e8;MpKslcb6bd7e8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE63D181-A450-415E-8E78-281938D2850B}\MpKslcb6bd7e8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE63D181-A450-415E-8E78-281938D2850B}\MpKslcb6bd7e8.sys [?]
    S2 BackupService;BackupService;c:\documents and settings\HALO\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [7/3/2011 16:32 83512]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 19:16 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2010 16:42 136176]
    S3 ATMEPVCM;Microsoft Ethernet PVC;c:\windows\system32\drivers\atmepvc.sys [4/25/2008 16:16 31360]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2010 16:42 136176]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
    S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\Safe Returner\RegKernelHelp.sys --> c:\program files\Safe Returner\RegKernelHelp.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 16:16 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 19:16 753504]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - JAVAQUICKSTARTERSERVICE
    *NewlyCreated* - MPKSLF0B64766
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 16:41]
    .
    2011-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 16:41]
    .
    2011-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-886209288-1299174467-1129114233-1009Core.job
    - c:\documents and settings\HALO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-09 23:55]
    .
    2011-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-886209288-1299174467-1129114233-1009UA.job
    - c:\documents and settings\HALO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-09 23:55]
    .
    2011-12-04 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 15:39]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    Trusted Zone: watchitmove.com
    TCP: Interfaces\{11A44DF7-6A7D-4168-8DFF-573DB7F8E5EE}: NameServer = 204.117.214.10,199.2.252.10
    DPF: {C9101148-151A-470D-9CE5-C163C0361EAE} - hxxp://www.ipromote.com/assets/media/toolbars/ipromote_toolbar.cab
    FF - ProfilePath - c:\documents and settings\HALO\Application Data\Mozilla\Firefox\Profiles\akgs7kj7.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-05 00:31
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1072)
    c:\windows\System32\TdmNetworkProvider.dll
    c:\windows\System32\WCR10.dll
    .
    - - - - - - - > 'lsass.exe'(1128)
    c:\windows\system32\wvauth.dll
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(1656)
    c:\windows\system32\WININET.dll
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-12-05 00:46:42
    ComboFix-quarantined-files.txt 2011-12-05 00:46
    ComboFix2.txt 2011-12-04 00:25
    ComboFix3.txt 2011-12-03 05:39
    .
    Pre-Run: 464,092,274,688 bytes free
    Post-Run: 464,088,932,352 bytes free
    .
    - - End Of File - - 3B770A1D542B459805DAEBD7306A8307
     
  4. Dzapper

    Dzapper TS Rookie Topic Starter

    Spoke too soon

    Oops I spoke too soon the redirect is still occurring just far less often and not on a consistent basis.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    "no one uses Outlook on this computer."> this is Outlook Express, not Outlook- big difference. I have never seen it as the internet connection. Will remove process.

    "The watchitmove.com is where I "The Man" oppress the masses ;-) in other words that's supposed to be there."> as long as you understand that the Trusted Zone has lower security settings than the internet zone. The only time I think anything in the zone might be appropriate is if there is an intranet" set up.

    "The Microsoft Internationalized Domain Names Mitigation APIs looks to me to be a valid Microsoft update unless you know something more about it.> I asked you about your use of the following- I didn't say it wasn't valid. This Microsoft update are DLLs for internationalized domain name support, Unicode normalization, and mitigation support for spoofing identity threats.

    This is in Add/Remove Programs, not the update section.

    Since it is specific, thus my question.
    =========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\program files\safe returner\regkernelhelp.sys
    c:\windows\system32\drivers\TrufosAlt.sys
    c:\windows\system32\vsdatant.sys
    Folder::
    c:\documents and settings\HALO\Application Data\892F1515
    DDS::
    uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {C9101148-151A-470D-9CE5-C163C0361EAE} - hxxp://www.ipromote.com/assets/media/toolbars/ipromote_toolbar.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    ClearJavaCache::
    
    Driver::
    RegKernelHelp
    vsdatant
    
    Reboot::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    =================================
    I've removed an orphan process for the Zone Alarm Firewall (S3 ;vsdatant; [2007-11-14])
    I've removed an orphan process for Bit Defender Anti Virus (c:\windows\system32\drivers\TrufosAlt.sys.
    Please check and see if either of these are still installed. If so, please uninstall> then use Windows Explorer to access Computer> Local Drive> Programs> find folder for each and do a right click> Delete.

    I've also remove Safe Returner (S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\Safe Returner\RegKernelHelp.sys --> c:\program files\Safe Returner\RegKernelHelp.sys [?]S ) > "Safe Returner: Very poor detection of malware, very poor cleanup of detected malware. On one test system active malware disabled Safe Returner. User interface riddled with typos and poor grammar. Bad Web reputation."
    ====================================
    Although you were asked to uninstall any previous entry for Combofix, you did not. It indicates that some malware might have been found and quarantined, although Eset didn't show "Qoobox" entries.
    ====================================
    See if these removals make any difference in the redirects. It is possible that the connection through Outlook Express is causing the problem. Otherwise, there's really not much showing.
    ===================================
    Go ahead and run the following after the script above:
    First, set up a Directory for HijackThis as follows:
    Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
    Exit Explorer
    You now have a folder C:\HijackThis
    Please note: if you do not set up this directory, you will have to uninstall HJT, redownload and scan to do it correctly.
    -----------------------------------------
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.
    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    =========================================
    And this: Download Security Check by screen317 from one of these links:
    Link1
    Link 2
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
     
  6. Dzapper

    Dzapper TS Rookie Topic Starter

    I think that might have gotten it

    ComboFix 11-12-04.04 - HALO 12/07/2011 0:49.4.8 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3581.2887 [GMT 0:00]
    Running from: c:\documents and settings\HALO\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\HALO\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    FILE ::
    "c:\program files\safe returner\regkernelhelp.sys"
    "c:\windows\system32\drivers\TrufosAlt.sys"
    "c:\windows\system32\vsdatant.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\HALO\Application Data\892F1515
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_REGKERNELHELP
    -------\Legacy_VSDATANT
    -------\Service_RegKernelHelp
    -------\Service_vsdatant
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-07 01:23 . 2011-12-07 01:23 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{ED62BB14-23EA-4914-9202-4A8ACC04862B}\offreg.dll
    2011-12-06 06:09 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{ED62BB14-23EA-4914-9202-4A8ACC04862B}\mpengine.dll
    2011-12-01 13:16 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-11-30 06:49 . 2011-12-04 00:38 -------- d-----w- c:\documents and settings\HALO\Application Data\QuickScan
    2011-11-29 19:59 . 2011-11-29 19:59 -------- d-----w- c:\program files\Microsoft Security Client
    2011-11-28 20:53 . 2011-11-28 20:53 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
    2011-11-28 20:43 . 2008-04-14 00:06 187776 -c--a-w- c:\windows\system32\dllcache\acpi.sys
    2011-11-28 20:43 . 2008-04-14 00:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-07 01:24 . 2011-04-11 16:21 0 ----a-w- c:\documents and settings\HALO\Local Settings\Application Data\WavXMapDrive.bat
    2011-11-28 20:50 . 2011-08-01 18:37 0 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\WavXMapDrive.bat
    2011-11-03 16:23 . 2011-06-24 14:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-10-03 05:06 . 2010-07-30 04:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-03 02:37 . 2011-03-07 13:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-28 07:06 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 11:41 . 2008-07-30 07:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 11:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 11:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-10 04:47 . 2011-09-10 04:47 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
    2011-11-21 04:04 . 2011-09-01 00:45 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-03_05.22.31 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-12-07 01:24 . 2011-12-07 01:24 16384 c:\windows\Temp\Perflib_Perfdata_7c8.dat
    + 2008-04-25 16:16 . 2011-12-04 06:09 718388 c:\windows\system32\perfh009.dat
    + 2008-04-25 16:16 . 2011-12-04 06:09 172834 c:\windows\system32\perfc009.dat
    + 2011-12-04 23:21 . 2011-10-03 05:06 157472 c:\windows\system32\javaws.exe
    - 2011-03-07 14:13 . 2011-02-02 21:40 157472 c:\windows\system32\javaws.exe
    + 2011-12-04 23:21 . 2011-10-03 05:06 145184 c:\windows\system32\javaw.exe
    - 2011-03-07 14:13 . 2011-02-02 21:40 145184 c:\windows\system32\javaw.exe
    - 2011-03-07 14:13 . 2011-03-07 13:58 145184 c:\windows\system32\java.exe
    + 2011-12-04 23:21 . 2011-10-03 05:06 145184 c:\windows\system32\java.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-04-14 159616]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-01-08 1044480]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-01-26 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-17 13879912]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2011-3-7 6144]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell ControlPoint System Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk
    backup=c:\windows\pss\Dell ControlPoint System Manager.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TdmNotify.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TdmNotify.lnk
    backup=c:\windows\pss\TdmNotify.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-20 23:07 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 17:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2011-02-17 14:18 13879912 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2011-02-17 14:18 111208 ----a-w- c:\windows\system32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
    2009-12-29 21:35 140520 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2010-01-08 14:13 1044480 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-10-29 14:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [7/30/2010 07:14 24064]
    R2 BackupService;BackupService;c:\documents and settings\HALO\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [7/3/2011 16:32 83512]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/8/2010 21:20 376688]
    S1 MpKsl212416e5;MpKsl212416e5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{ED62BB14-23EA-4914-9202-4A8ACC04862B}\MpKsl212416e5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{ED62BB14-23EA-4914-9202-4A8ACC04862B}\MpKsl212416e5.sys [?]
    S1 MpKslcb6bd7e8;MpKslcb6bd7e8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE63D181-A450-415E-8E78-281938D2850B}\MpKslcb6bd7e8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE63D181-A450-415E-8E78-281938D2850B}\MpKslcb6bd7e8.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 19:16 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2010 16:42 136176]
    S3 ATMEPVCM;Microsoft Ethernet PVC;c:\windows\system32\drivers\atmepvc.sys [4/25/2008 16:16 31360]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2010 16:42 136176]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 16:16 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 19:16 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 16:41]
    .
    2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 16:41]
    .
    2011-12-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-886209288-1299174467-1129114233-1009Core.job
    - c:\documents and settings\HALO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-09 23:55]
    .
    2011-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-886209288-1299174467-1129114233-1009UA.job
    - c:\documents and settings\HALO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-09 23:55]
    .
    2011-12-07 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 15:39]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    Trusted Zone: watchitmove.com
    TCP: Interfaces\{11A44DF7-6A7D-4168-8DFF-573DB7F8E5EE}: NameServer = 204.117.214.10,199.2.252.10
    FF - ProfilePath - c:\documents and settings\HALO\Application Data\Mozilla\Firefox\Profiles\akgs7kj7.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-07 01:24
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1080)
    c:\windows\System32\TdmNetworkProvider.dll
    c:\windows\System32\WCR10.dll
    .
    - - - - - - - > 'lsass.exe'(1136)
    c:\windows\system32\wvauth.dll
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(3612)
    c:\windows\system32\WININET.dll
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\windows\system32\wbem\unsecapp.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-07 01:40:32 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-07 01:40
    ComboFix2.txt 2011-12-05 00:46
    ComboFix3.txt 2011-12-04 00:25
    ComboFix4.txt 2011-12-03 05:39
    .
    Pre-Run: 463,892,738,048 bytes free
    Post-Run: 464,149,905,408 bytes free
    .
    - - End Of File - - 3BCD143D50E55CDC317C65CB7BE8B94C

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 02:15:38, on 12/7/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    C:\Documents and Settings\HALO\Application Data\HP SimpleSave Application\uUACTokenSvc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\HALO\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HALO\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HALO\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HALO\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.watchitmove.com
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{11A44DF7-6A7D-4168-8DFF-573DB7F8E5EE}: NameServer = 204.117.214.10,199.2.252.10
    O17 - HKLM\System\CS1\Services\Tcpip\..\{11A44DF7-6A7D-4168-8DFF-573DB7F8E5EE}: NameServer = 204.117.214.10,199.2.252.10
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: BackupService - ArcSoft, Inc. - C:\Documents and Settings\HALO\Application Data\HP SimpleSave Application\uUACTokenSvc.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

    --
    End of file - 7239 bytes


    Results of screen317's Security Check version 0.99.28
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date! (On Access scanning disabled!)
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Java(TM) 6 Update 29
    Adobe Flash Player 11.0.1.152
    Adobe Reader 9 Adobe Reader out of date!
    Mozilla Firefox (8.0.1)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    Microsoft Security Client Antimalware MsMpEng.exe
    ``````````End of Log````````````
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, these logs look clean!

    Please update the Adobe Reader.Visit this Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.
    ======================================
    Since the redirects have been resolved, you can remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    =========================================
    I'm going to leave you some suggestions for added security. Although the MVPs won't admit it, I do not think having MSE alone offers full protection. Some of these may not apply to you now, but keep the list handy:

    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner]
      or
      [o] ATF Cleaner by Atribune
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.

    Let me know if you have any more questions.
     
  8. Dzapper

    Dzapper TS Rookie Topic Starter

    Thank you

    Thanks Bobbye for your help.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're very welcome!

    Have a Happy and Peaceful Holiday![​IMG]
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...