Solved Cannot get rid of "Redirect Virus"

Status
Not open for further replies.

computernerd180

Posts: 12   +0
I've ran several scans. Malwarebytes, SUPERAntiVirus, and AVG 2011. Malware and AVG find nothing. SUPERAntiVirus (I'm not sure if I like), found 92 but didn't fix. Anytime I've run it after, it continually finds 22 and says it fixes but they are always there. Internet is running slow and search results don't work most of the time! Please help, I have no clue how to fix this and need some great expertise!!!

Malwarebytes log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6610

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

5/23/2011 1:47:36 AM
mbam-log-2011-05-23 (01-47-36).txt

Scan type: Full scan (C:\|H:\|)
Objects scanned: 280387
Time elapsed: 1 hour(s), 37 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


AVG Log:

Scan "Scheduled scan" completed.
No infection was found during this scan
Folders selected for scanning:;"Whole computer scan"
Scan started:;"Monday, May 23, 2011, 6:11:55 AM"
Scan finished:;"Monday, May 23, 2011, 7:05:28 AM (53 minute(s) 32 second(s))"
Total object scanned:;"1163948"
User who launched the scan:;"SYSTEM"

SUPERAnitSpyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/22/2011 at 08:15 PM

Application Version : 4.52.1000

Core Rules Database Version : 6999
Trace Rules Database Version: 4811

Scan type : Complete Scan
Total Scan Time : 00:58:39

Memory items scanned : 492
Memory threats detected : 0
Registry items scanned : 8666
Registry threats detected : 0
File items scanned : 22364
File threats detected : 23

Adware.Tracking Cookie
C:\Documents and Settings\Elisha\Cookies\elisha@content.yieldmanager[3].txt
C:\Documents and Settings\Elisha\Cookies\elisha@pointroll[1].txt
C:\Documents and Settings\Elisha\Cookies\elisha@ad.yieldmanager[1].txt
C:\Documents and Settings\Elisha\Cookies\elisha@ads.undertone[1].txt
C:\Documents and Settings\Elisha\Cookies\elisha@casalemedia[1].txt
C:\Documents and Settings\Elisha\Cookies\elisha@trafficmp[1].txt
C:\Documents and Settings\Elisha\Cookies\elisha@content.yieldmanager[2].txt
C:\Documents and Settings\Elisha\Cookies\elisha@ads.lycos[1].txt
C:\Documents and Settings\Elisha\Cookies\elisha@classmates.112.2o7[1].txt
C:\Documents and Settings\Elisha\Cookies\elisha@burstnet[3].txt
C:\Documents and Settings\Elisha\Cookies\elisha@a1.interclick[1].txt
C:\Documents and Settings\Elisha\Cookies\elisha@specificclick[2].txt
C:\Documents and Settings\Elisha\Cookies\elisha@ad.wsod[2].txt
C:\Documents and Settings\Elisha\Cookies\elisha@adserver.adtechus[1].txt
C:\Documents and Settings\Elisha\Cookies\elisha@tribalfusion[1].txt
C:\Documents and Settings\Elisha\Cookies\elisha@serving-sys[2].txt
C:\Documents and Settings\Elisha\Cookies\elisha@zedo[2].txt
C:\Documents and Settings\Elisha\Cookies\elisha@traffic.prod.cobaltgroup[1].txt
C:\Documents and Settings\Elisha\Cookies\elisha@media6degrees[1].txt
C:\Documents and Settings\Elisha\Cookies\elisha@ads.pointroll[2].txt
C:\Documents and Settings\Elisha\Cookies\elisha@advertising[3].txt
C:\Documents and Settings\Elisha\Cookies\elisha@ad.yieldmanager[2].txt

Adware.CouponBar
C:\WINDOWS\CPNPRT2.CID


Any help would be appreciated. I am so lost. It just seems like I've tried everything I know how and cannot beat this! Thanks.
 
Welcome to TechSpot! It's more helpful to 'get rid' of a redirect when you know what's causing it!


Please follow the additional steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Malwarebytes, GMER, DDS and Attach logs

Here are all the logs I ran. Sorry for the delay. We got slammed with massive winds and were out of power for several hours last night. Thanks again.

Malwarebytes log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6657

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/23/2011 4:29:46 PM
mbam-log-2011-05-23 (16-29-46).txt

Scan type: Quick scan
Objects scanned: 167489
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER Log:

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-24 14:52:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SP1604N rev.TM100-24
Running: lv0stpuq.exe; Driver: C:\DOCUME~1\Elisha\LOCALS~1\Temp\agrdafoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF7730738]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF77307DC]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF7730878]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF7730914]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38A1A3F4-95FF-1D4A-F69C-AEFBA5D8A524}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38A1A3F4-95FF-1D4A-F69C-AEFBA5D8A524}@iagegngbfbpkdnpaii 0x6A 0x61 0x6C 0x6D ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38A1A3F4-95FF-1D4A-F69C-AEFBA5D8A524}@haehnpmmnikkhkpk 0x6A 0x61 0x6C 0x6D ...

---- EOF - GMER 1.0.15 ----

DDS Log:

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Elisha at 15:05:05 on 2011-05-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1149 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Marketsplash by HP\HPLocalWebPrintAgent.exe
svchost.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Elisha\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
uRun: [cdloader] "c:\documents and settings\elisha\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\elisha\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [fxHelpdrv] rundll32.exe "c:\documents and settings\elisha\local settings\application data\directcrtlib\fxHelpdrv.dll",smpMapARM WinMobileCres
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [ASUS Camera ScreenSaver] c:\windows\ASScrProlog.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\elisha\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\market~1.lnk - c:\program files\hewlett-packard\marketsplash by hp\HPLocalWebPrintAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} - hxxp://www.samsungdp.com/printerhelp/ActiveX/DrPrinter.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://imageupload8.autorevo.com/Cabs/ImageUploader5.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://officedepotwebcafe.webex.com/client/wbs27-vzbprodcn/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\elisha\application data\mozilla\firefox\profiles\4f4w6oap.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\elisha\application data\mozilla\firefox\profiles\4f4w6oap.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\elisha\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: vshareus@toolbar - %profile%\extensions\vshareus@toolbar
.
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-1-26 88176]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys --> c:\windows\system32\drivers\ANDROIDUSB.sys [?]
.
=============== Created Last 30 ================
.
2011-05-23 19:19:28 -------- d-----w- c:\program files\FreeTime
2011-05-23 17:52:16 -------- d-----w- c:\program files\LimeWire
2011-05-23 03:50:31 -------- d-----w- c:\program files\CCleaner
2011-05-20 17:26:27 -------- d-----w- c:\documents and settings\elisha\application data\SUPERAntiSpyware.com
2011-05-20 17:26:27 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-05-20 17:26:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-17 01:11:11 -------- d-----w- c:\program files\iPod
2011-05-17 01:11:06 -------- d-----w- c:\program files\iTunes
2011-05-17 01:06:31 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-05-15 19:16:12 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-04-15 01:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-05 04:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-29 17:08:28 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-18 18:32:10 71072 ----a-w- c:\windows\CouponPrinter.ocx
2011-03-16 20:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
.
============= FINISH: 15:05:38.25 ===============

Attach Log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/11/2009 7:36:48 PM
System Uptime: 5/24/2011 9:15:37 AM (6 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | Explorer4
Processor: AMD Athlon(tm) XP 3200+ | Socket A | 2191/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 145 GiB total, 69.6 GiB free.
D: is Removable
E: is Removable
H: is FIXED (FAT32) - 4 GiB total, 0.52 GiB free.
J: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_058F&PID_9360\9205291
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_058F&PID_9360\9205291
Service: USBSTOR
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce MCP Networking Controller
Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_80A71043&REV_A1\3&267A616A&0&20
Manufacturer: Nvidia
Name: NVIDIA nForce MCP Networking Controller
PNP Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_80A71043&REV_A1\3&267A616A&0&20
Service: NVENET
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Gigabyte GN-WP01GS PCI WLAN Card(Turbo)
Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_E9341458&REV_00\4&2C03473B&0&3840
Manufacturer: Gigabyte Technology Corp.
Name: Gigabyte GN-WP01GS PCI WLAN Card(Turbo)
PNP Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_E9341458&REV_00\4&2C03473B&0&3840
Service: RT61
.
==== System Restore Points ===================
.
RP1: 5/22/2011 11:52:09 PM - System Checkpoint
.
==== Installed Programs ======================
.
7-Zip 4.65
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.4
Aneesoft Free BlackBerry Video Converter
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Asus_LCD_ScreenSaver
AttachmentOptions
AVG 2011
BitTorrent
BlackBerry Desktop Software 5.0.1
BlackBerry Desktop Software 6.0
Bonjour
BurnAware Free 3.0.1
CCleaner
Coupon Printer for Windows
Debut Video Capture Software
Easy DVD Creator 2.0.17
ERUNT 1.1j
Eyles 15e
FormatFactory 2.60
Free RAR Extract Frog
FrostWire 4.20.6
Google Chrome
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Memories Disc
HP Officejet Pro 8500 A910 Basic Device Software
HP Officejet Pro 8500 A910 Help
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
HP Update
I.R.I.S. OCR
Image Resizer Powertoy for Windows XP
iTunes
Java Auto Updater
Java(TM) 6 Update 24
K-Lite Codec Pack 6.0.0 (Basic)
LifeFrame2
LightScribe 1.8.15.1
LimeWire 5.6.2
Macromedia Dreamweaver 8
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Fireworks MX
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash MX
magicJack
Malwarebytes' Anti-Malware
Marketsplash Print Software
Marketsplash Shortcuts
McAfee SiteAdvisor
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.17)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Multimedia Card Reader
MyDSC2
Nero 7 Essentials
neroxml
Network Print Monitor for Windows 2000/XP/2003
NVIDIA Ethernet Driver
OpenMG Limited Patch 4.0-04-07-14-01
OpenMG Secure Module 4.0.00
PrimoPDF
PrimoPDF -- brought to you by Nitro PDF Software
PrimoPDF Redistribution Package
PrintKey2000
Quicken 2010
QuickTime
Reach PN Studyware CD
Realtek AC'97 Audio
Roxio Media Manager
Samsung CLP-310 Series
SAMSUNG Dr. Printer
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Skype web features
Skype™ 4.1
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
SonicStage 2.1.00
Spybot - Search & Destroy
SUPERAntiSpyware
Turbo Lister 2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (KB2443839)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VideoPad Video Editor
vShare Plugin
WebEx
WebFldrs XP
Windows Internet Explorer 8
WinFF 1.3.1
.
==== Event Viewer Messages From Past Week ========
.
5/24/2011 9:47:57 AM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
5/24/2011 9:47:22 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
5/23/2011 12:08:49 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
5/22/2011 7:12:25 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
5/22/2011 7:12:25 PM, error: Service Control Manager [7000] - The SSPORT service failed to start due to the following error: The system cannot find the file specified.
5/22/2011 6:11:41 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Avgldx86 Avgmfx86 Fips SASDIFSV SASKUTIL
5/22/2011 11:58:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
5/22/2011 11:56:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 Avgldx86 Avgmfx86 Avgtdix Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
5/22/2011 11:56:00 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/22/2011 11:56:00 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/22/2011 11:56:00 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/22/2011 11:56:00 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/22/2011 11:56:00 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/22/2011 11:56:00 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/22/2011 11:55:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/22/2011 11:55:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/20/2011 4:32:34 PM, error: System Error [1003] - Error code 10000050, parameter1 e3f7101c, parameter2 00000000, parameter3 bf83cfda, parameter4 00000001.
.
==== End Of File ===========================
 
P2P or 'file sharing' Warning:
You are using 3 file sharing programs:
BitTorrent
FrostWire 4.20.6
LimeWire 5.6.2

As long as you use these programs, you can expect to get malware on your system. I strongly recommend that you uninstall then because:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
==========================================
If you choose note to uninstall the file sharing programs, please disable them and do not use them or accept downloads while I am helping you.
==========================================
Questions and Comments:
1). You are using 2 Site Advisors: McAfee and AVG. Suggest you remove one of them.
2). Are you using the Google Android USB Driver now?
3). Are you using SSPORT.sys 32bit Port Contention Driver from Samsung Electronics now?
4). Did the redirect problem start before or after the following programs were installed?
5/23/2011
c:\program files\FreeTime
c:\program files\LimeWire
c:\program files\CCleane
5/20/2011
c:\program files\SUPERAntiSpyware
5/17/2011
c:\program files\iPod
c:\program files\iTunes
c:\program files\Bonjour
Did you download them from any file sharing programs or sites?
5). Please uninstall HitmanPro35: It is only a bundle of free programs that can be found on the internet. The difference is that Hitman will only 'fix' or remove during the Trial Period, free. After that, you have to pay for the program. Whereas all of the programs in the bundle are fully functional and free, always.
===============================================
You will have to uninstall AVG to run Combofix:
Download AppRemover and save to the desktop
  1. Double click the setup on the desktop> click Next
  2. Select “Remove Security Application”
  3. Let scan finish to determine security apps
  4. A screen like below will appear:
    image_preview
  5. Click on Next after choice has been made
  6. Check the AVG program you want to uninstall
  7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
. The download the current version and do the scan:
Uninstall directions if needed:
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=======================================
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Please leave all logs in next reply.
 
Here you go...

Ok, here is what was done.

Uninstalled, Bittorrent, Frostwire and Limeware. I understand the cause for concern with these and it makes sense so they are GONE!!! Thanks!

I am not using Google Android USB Driver and am not sure even what that would be on there for. I've never had an Android phone.

Also SSPORT.sys 32bit Port Contention Driver from Samsung Electronics isn't being used. I'm not sure what that is. I use to have a Samsung printer but I do not anymore. Not sure if this driver is associated with that printer or not?

The "redirect" has been here before any of the programs you listed. It was definitely here before the 17th!
5/23/2011
Quote:
c:\program files\FreeTime
c:\program files\LimeWire
c:\program files\CCleane
5/20/2011
Quote:
c:\program files\SUPERAntiSpyware
5/17/2011
Quote:
c:\program files\iPod
c:\program files\iTunes
c:\program files\Bonjour

I went to uninstall HitmanPro but it was not listed as an installed program. I think I may have uninstalled it a while back. I did find the folder under program files and deleted it.

I uninstalled AVG and Installed Avast as you suggested. I was kind of confused in doing this. When Avast installed it suggested a scan which I did. It found a couple things and removed them. Then it suggested to restart the system so it could scan the computer before windows starts. It stayed on this scan for hours. It found some corrupted music files which I told it to delete. Then it showed me a bunch of .sys files which I did not delete. It made me fell uncomfortable to be getting rid of those. I aborted the scan and went straight to the ComboFix scan. I not sure if I was suppose to even do the scan but Avast acted like it wanted to so I let it!!!!

Could not find the Avast log but these are in the Virus Chest:

A0001735.dll
C:\System Volume Information\_restore{D13FE2CF-60D8-4A9F-8651-658F754CA8FE}\RP5
Win32:Mal0b-FH [Cryp]

fxHelpdrv.dll
C:\Documents and Settings\Elisha\Local Settings\Application Data\Directcrtlib
Win32:Mal0b-FH [Cryp]

Uninstalled and reinstalled ComboFix.

ComboFix Log:
ComboFix 11-05-25.01 - Elisha 05/25/2011 20:00:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1399 [GMT -4:00]
Running from: c:\documents and settings\Elisha\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-26 to 2011-05-26 )))))))))))))))))))))))))))))))
.
.
2011-05-25 01:00 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-25 01:00 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-25 00:59 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-25 00:59 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-25 00:59 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-25 00:59 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-25 00:59 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-25 00:59 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-25 00:58 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-05-25 00:58 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-25 00:57 . 2011-05-25 00:57 -------- d-----w- c:\program files\AVAST Software
2011-05-25 00:57 . 2011-05-25 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-05-23 19:19 . 2011-05-23 19:19 -------- d-----w- c:\program files\FreeTime
2011-05-23 17:52 . 2011-05-24 23:54 -------- d-----w- c:\program files\LimeWire
2011-05-23 03:50 . 2011-05-23 03:50 -------- d-----w- c:\program files\CCleaner
2011-05-20 17:26 . 2011-05-20 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-17 01:11 . 2011-05-17 01:11 -------- d-----w- c:\program files\iPod
2011-05-17 01:11 . 2011-05-17 01:12 -------- d-----w- c:\program files\iTunes
2011-05-17 01:06 . 2011-05-17 01:06 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-15 19:16 . 2009-10-19 13:31 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-29 17:09 . 2011-03-29 17:09 388096 ----a-r- c:\documents and settings\Elisha\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-29 17:08 . 2010-04-21 03:27 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-18 18:32 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Elisha\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-08 524288]
"ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2009-08-25 37232]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\Elisha\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Marketsplash Print Software.lnk - c:\program files\Hewlett-Packard\Marketsplash by HP\HPLocalWebPrintAgent.exe [2010-10-11 93752]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-6-12 869376]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Documents and Settings\\Elisha\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/24/2011 8:59 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/24/2011 9:00 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/24/2011 9:00 PM 19544]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys --> c:\windows\system32\Drivers\ANDROIDUSB.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWSNX
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-07-18 22:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:04]
.
2010-07-17 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8271031119.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003Core.job
- c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
.
2011-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003UA.job
- c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
.
2011-05-25 c:\windows\Tasks\User_Feed_Synchronization-{D6CA2E92-1012-45B4-8083-12DDB7804433}.job
- c:\windows\system32\msfeedssync.exe [2008-07-12 08:31]
.
2010-01-24 c:\windows\Tasks\videopadSevenDaysInit.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-24 03:56]
.
2010-03-08 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-24 03:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Elisha\Application Data\Mozilla\Firefox\Profiles\4f4w6oap.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: vshareus@toolbar - %profile%\extensions\vshareus@toolbar
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-fxHelpdrv - c:\documents and settings\Elisha\Local Settings\Application Data\Directcrtlib\fxHelpdrv.dll
SafeBoot-Wdf01000.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-25 20:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1004336348-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38A1A3F4-95FF-1D4A-F69C-AEFBA5D8A524}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iagegngbfbpkdnpaii"=hex:6a,61,6c,6d,70,68,66,63,69,61,67,6e,68,6b,70,66,68,69,
6b,69,00,f1
"haehnpmmnikkhkpk"=hex:6a,61,6c,6d,70,68,66,63,69,61,67,6e,68,6b,70,66,68,69,
6b,69,00,f1
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-05-25 20:22:38
ComboFix-quarantined-files.txt 2011-05-26 00:22
.
Pre-Run: 75,625,074,688 bytes free
Post-Run: 75,686,199,296 bytes free
.
- - End Of File - - B15D622FFE5CF1FA114F4D22C0D69F77

ESETScan Log
C:\Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany.zip PHP/Kryptik.AB trojan
C:\Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany\footer.php PHP/Kryptik.AB trojan

Thanks so much for looking this over!
 
No problem! I can handle the removals of the 'unused' in the script for Combofix.
==============================
For Eset entries: There is some discussion about similar entries being found on the WordPress footer. It didn't appear to have been resolved. There is a chance these are a False Positive. But their discussion took place over 7 months ago, so considering it is still coming up as a Trojan, I think it is safe to go ahead and remove it.
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :Files  
    C:\Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany.zip 
    C:\Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany\footer.php 
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===================================
Will be back after lunch with script for Combofix. Go ahead with the above now.
 
Okay then- let's continue:
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code:
KillAll::
File::
c:\windows\system32\drivers\ssport.sys
c:\windows\system32\drivers\androidusb.sys
c:\windows\system32\drivers\hitmanpro35.sys
Folder::
c:\program files\LimeWire
DDS::
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
mRun: [<NO NAME>] 
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll

RegNull::
[HKEY_USERS\S-1-5-21-1004336348-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38A1A3F4-95FF-1D4A-F69C-AEFBA5D8A524}*]
Driver::
SSPORT
HTCAND32
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
===============================================
Scheduled Tasks: You have some Tasks scheduled which I suggest you remove using Option #3 below:
These tasks are:

  • [*]c:\windows\Tasks\AppleSoftwareUpdate.job
    [*]c:\windows\Tasks\FRU Task (for the HP printer and digital imaging..tasks name is followed by a very long numerical string ending in 'job)
    [*] c:\windows\Tasks\videopadSevenDaysInit.job
    [*] c:\windows\Tasks\videopadShakeIcon.job
Most of these found are usually auto-updates scheduled for programs that do not need them. They will make numerous internet connections every day, looking for updates that you can find manually. You want to keep these connection attempts as few as possible and then only if needed for the system. The only auto-update I get is for the AV program.

Opening scheduled tasks to modify or delete them:
Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
To change the settings for a task: right-click the Task> click Properties> do any of the following:
  1. To change the schedule for the task, click the Schedule tab.
  2. To customize the settings for the task, such as the maximum run time, idle time requirements, and power management options, click the Settings tab.
  3. To delete a task> right-click the task> click Delete.
  4. To prevent a task from running until you want to let it run again> right-click the task> Properties> On the General tab> clear the Enabled check box. Select the check box again to enable the task when you are ready to let the task scheduler run it again.
===============================
Let me know how the system is doing when you finish this.
 
OTM and ComboFix Logs

Ok, I did this backwards on accident so I hope it doesn't mess anything up that you had me do. I clicked the link in the email about ComboFix first and ran all of that which deleted what it need and then restarted the computer. I then removed the Scheduled Task which you suggested, thanks! I get tired of the Apple task popping up all the time. Then I was deleting emails and seeing the email about OTM. I went in and did the OTM after the ComboFix and Scheduled Task. I hope that is ok?

As far as the computer. Start up is slow but I just think that is because it is an old computer. I usually leave it on 24/7 and don't ever notice the start up so I'm sure it is normal.

As far as the wordpress theme and the footer problem. Is that a wordpress issue or just this theme? If you look at my blog, blog.darrenmcnew.com it has always had a messed up footer since I installed it. It's no big deal but now that you said it, it made me wonder if that is why?

I do have an "advice" question. Since i uninstalled AVG and installed Avast, is there a reason for that? I've always used AVG and I am certainly not opposed to trying a different Anti Virus, my question is, which is your favorite or what do you recommend? I noticed you suggested Avast and another on. What are your thoughts. Also, Malwarebytes has seemed to be a great program. Should I keep it? And Spy Bot, is it worth keeping? I have mixed feelings if it is even doing anything or just taking up space!!!

OK here are my logs.

OTM Log:

All processes killed
========== FILES ==========
C:\Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany.zip moved successfully.
C:\Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany\footer.php moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Elisha
->Temp folder emptied: 5822 bytes
->Temporary Internet Files folder emptied: 7463883 bytes
->Java cache emptied: 583332 bytes
->FireFox cache emptied: 53474952 bytes
->Flash cache emptied: 5926 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1198 bytes

Total Files Cleaned = 59.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 05262011_172908

Files moved on Reboot...

Registry entries deleted on Reboot...

ComboFix Log:

ComboFix 11-05-26.01 - Elisha 05/26/2011 16:22:11.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1369 [GMT -4:00]
Running from: c:\documents and settings\Elisha\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Elisha\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\drivers\androidusb.sys"
"c:\windows\system32\drivers\hitmanpro35.sys"
"c:\windows\system32\drivers\ssport.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\LimeWire
c:\program files\LimeWire\lib\unpackedJars.tmp
c:\program files\vshare\vshare_toolbar.dll
c:\windows\system32\drivers\hitmanpro35.sys
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SSPORT
-------\Service_HTCAND32
-------\Service_SSPORT
.
.
((((((((((((((((((((((((( Files Created from 2011-04-26 to 2011-05-26 )))))))))))))))))))))))))))))))
.
.
2011-05-26 01:36 . 2011-05-26 01:36 -------- d-----w- c:\program files\ESET
2011-05-25 01:00 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-25 01:00 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-25 00:59 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-25 00:59 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-25 00:59 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-25 00:59 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-25 00:59 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-25 00:59 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-25 00:58 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-05-25 00:58 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-25 00:57 . 2011-05-25 00:57 -------- d-----w- c:\program files\AVAST Software
2011-05-25 00:57 . 2011-05-25 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-05-23 19:19 . 2011-05-23 19:19 -------- d-----w- c:\program files\FreeTime
2011-05-23 03:50 . 2011-05-23 03:50 -------- d-----w- c:\program files\CCleaner
2011-05-20 17:26 . 2011-05-20 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-17 01:11 . 2011-05-17 01:11 -------- d-----w- c:\program files\iPod
2011-05-17 01:11 . 2011-05-17 01:12 -------- d-----w- c:\program files\iTunes
2011-05-17 01:06 . 2011-05-17 01:06 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-15 19:16 . 2009-10-19 13:31 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-29 17:09 . 2011-03-29 17:09 388096 ----a-r- c:\documents and settings\Elisha\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-18 18:32 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Elisha\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-08 524288]
"ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2009-08-25 37232]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\Elisha\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Marketsplash Print Software.lnk - c:\program files\Hewlett-Packard\Marketsplash by HP\HPLocalWebPrintAgent.exe [2010-10-11 93752]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-6-12 869376]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Documents and Settings\\Elisha\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/24/2011 8:59 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/24/2011 9:00 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/24/2011 9:00 PM 19544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-07-18 22:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:04]
.
2010-07-17 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8271031119.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
2011-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003Core.job
- c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
.
2011-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003UA.job
- c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
.
2011-05-26 c:\windows\Tasks\User_Feed_Synchronization-{D6CA2E92-1012-45B4-8083-12DDB7804433}.job
- c:\windows\system32\msfeedssync.exe [2008-07-12 08:31]
.
2010-01-24 c:\windows\Tasks\videopadSevenDaysInit.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-24 03:56]
.
2010-03-08 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-24 03:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Elisha\Application Data\Mozilla\Firefox\Profiles\4f4w6oap.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: vshareus@toolbar - %profile%\extensions\vshareus@toolbar
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{043C5167-00BB-4324-AF7E-62013FAEDACF} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-26 16:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1100)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\program files\SmartFTP Client 2.0\smarthook.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\ALCXMNTR.EXE
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2011-05-26 16:56:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-26 20:56
ComboFix2.txt 2011-05-26 00:22
.
Pre-Run: 75,426,639,872 bytes free
Post-Run: 75,291,607,040 bytes free
.
- - End Of File - - DC1E98EC10A0EAED2266BB4B855A3835
 
About this and 'slow':
I usually leave it on 24/7 and don't ever notice the start up so I'm sure it is normal.
Okay to leave on- I hope that is either in Sleep or on Standby- but you still need to reboot occasionally to free up the memory.
===============================
'Advice' questions:
1. Since i uninstalled AVG and installed Avast, is there a reason for that?Yes, there is. Combofix won't run with AVG installed. AVG left no way for users to disable it fully to run scans
2. I've always used AVG and I am certainly not opposed to trying a different Anti Virus, my question is, which is your favorite or what do you recommend? I noticed you suggested Avast and another on. What are your thoughts. You can reinstall AVG after we have finished using Combofix. We offer Avast or Avira to be used as temporary AV when removing AVG, because they are both free and good.
You can stay with either and add a firewall: Both of these are good, free and bi-directional:
[o]Comodo
[o]Zone Alarm
Or you can get Nod32, which is excellent, but nor free.
3. Malwarebytes has seemed to be a great program. Should I keep it? No, don't keep on system. If needed, run the free scan occasionally. But this free version isn't going to auto-update. If you want the fully functional Mbam, you will have to purchase it.
4. And Spy Bot, is it worth keeping? I have mixed feelings if it is even doing anything or just taking up space!!!Keep it. Remember to update and run scans. Another good antimalware program that will work in the background is:
Spywareblaster:[/b] SpywareBlaster protects against bad ActiveX.
5. Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.

Some antimalware programs are 'find and fix.' Others are 'prevent'. So you need a balance between the two.

Going to take lunch break. Will review Combofix log when I come back.
 
I may have you run Combofix again to see if there are any 'left over' entries from processes that have been removed. Back to the complaint about slow> you have many auto-update processes loading. that means they are going to be checking the internet several times a day, every day, looking for updates. This uses system resources as well as time.

Did you know that the printer/imaging programs doesn't need to start on boot? To print: Click on File> Print.
To use the HP Image Director: Open All Programs and select from there

So all of the HP processes and any related to their imaging can be unchecked on the Startup menu.
====================================
To remove entries from the Startup Menu using the msconfig utility:
  • Click on Start> Run> type in msconfig> enter>
    msconfig_open_xp.gif
  • Click on Selective Startup
  • Choose the Startup tab:
    startup_tab_xp.gif

    All images courtesy NetSquirrel
  • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
  • Uncheck any processes you do not need to start on boot> All of the following can be taken off the Startup menu:
    hp psc 1000 series and Digital Imaging processes
    hpoddt01.exe.
    Marketsplash Print Software.
    HP\HPLocalWebPrintAgent.exe
    Printkey2000
    NeroFilterCheck
    SunJavaUpdate (jusched)
    Adobe Reader Speed Launcher (Reader_sl.exe)
    Adobe ARM
    QuickTime Task (QTTask.exe)
    HP Software Update (HPWuSchd2.exe)
    iTunesHelper
  • Click on Apply> OK when finished.
NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.

Please open Firefox> Tools> Extensions> remove the following:
Java v6u17
Java v6u24
vShare

Now update Java: Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
Note: You do not need to put a separate extension for Java on Firefox.
========================================
Repeat the Eset Online Virus scan, updating first. (Combofix removed an infected file indicating there is still a 'leak' in the system security.

I need to check the Eset log before finishing up.
 
OK, Eset log

Ok, I "unchecked" the start up programs you recommended and it seem to start a bit faster which is great. It makes sense to eliminate as much as possible. I guess when these programs install they automatically set up to start for update checks and such??? I guess I'll watch out for this in the future when installing certain things.

Also, thank you so much for the great advice on the programs to use. Does AVG have a built in firewall? Avast and Avira doesn't? Like I said, I will tray either of them. I'm acutally thinking of uninstalling Avast and installing Avira. I don't know why but it seems like my computer opens things a bit slower than before and I'm thinking it may be Avast?

Also something strange is happening and I'm not sure if it is Avast or something else I've done. When attempting to watch YouTube videos, the sound is very "choppy" when playing, like slight skipping. I also notice when I restarted after unchecking the startup things you told me to eliminate. When windows started and it played its "start up jingle", it sounded like the YouTube videos. Really choppy and skipping. It was weird. Not smooth and clear like usual.

I am going to take your advice and uninstall Malwarebytes and configure SpyBot to work to it's full advantage. I will also look into and install the other programs you recommended. I understand "antimalware" because of your explanation now and I thank you. I never knew some were to prevent while others fixed. That is very important to know and I'm very thankful you explained.

Here is my Eset Log:
C:\_OTM\MovedFiles\05262011_172908\C_Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany.zip PHP/Kryptik.AB trojan
C:\_OTM\MovedFiles\05262011_172908\C_Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany\footer.php PHP/Kryptik.AB trojan
 
Answering your questions and comments:
1. Most downloads will place themselves on the Startup menu. This would also include whatever is bundled with it, such as an auto-update. Usually, if you can do a Custom Install instead of General, you can include or decline putting it on the startup menu.
2.
Does AVG have a built in firewall? Avast and Avira doesn't?
As far as I know, no free antivirus programs also have a firewall. That would be included in a 'suite' which is a purchase. But you can add a free firewall as mentioned. Also as mentioned, some would rather buy a suite and have everything bundle with it. My personal preference is not to use suites, but rather use individual, free-standing programs.
3. I haven't used either Avast or Avira, but whichever you use, you should open the programs configuration before you start using it. Any program will have 'default' settings- that means that these setting come already set with the program. That does not mean you can't change them! For instance, having an AV program set to scan on boot isn't necessary and will slow load time down.
4.
sound is very "choppy" and skipping
Check the Device Manager as follows, with particular attention to the Sound, Video and Game Controllers:

Using Safe Mode and Device Manager to troubleshoot.

1) Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

2) Access the Device Manager: Control Panel> System> Hardware tab> Device Manager
  • Double-click (or highlight a device> Properties> This will show Device Status and Device Usage
  • Disable the drivers for the following devices (if present) using theDevice Usage for each
    [o] Display Adapters
    [o] Floppy Disk Controllers
    [o] Hard Disk Controllers
    [o] Keyboard
    [o] Mouse
    [o] Network Adapters
    [o] PCMCIA Socket
    [o] Ports
    [o] SCSI Controllers
    [o] Sound, Video, and Game Controllers

    This icon
    devman1.jpg
    appears on devices that aren't responding or whose drivers aren't installed properly.
    This icon
    devman5.jpg
    appears on devices that have been disabled.

3) Reboot the computer into normal mode.
  • If the computer successfully boots into normal mode, reenable half of the device drivers that were disabled and reboot.
  • Continue rebooting and reenabling successively more devices until Windows no longer boots normally.
  • One of the device drivers in the most recently reenabled group of drivers is causing the problem.
==============================================
You have taken all of these off of the Startup Menu, correct? Did you uninstall any of them?
Update and rescan with Combofix. I can then remove any 'left-over' entries (including Registry entries) in script to run:
hp psc 1000 series and Digital Imaging processes
hpoddt01.exe.
Marketsplash Print Software.
HP\HPLocalWebPrintAgent.exe
Printkey2000
NeroFilterCheck
SunJavaUpdate (jusched)
Adobe Reader Speed Launcher (Reader_sl.exe)
Adobe ARM
QuickTime Task (QTTask.exe)
HP Software Update (HPWuSchd2.exe)
iTunesHelper
 
ComboFix Scan

Ok, So I went and messed with disabling some of the hardware like you recommended in Safe Mode. The computer booted fine everytime. The first boot seemed like it ran smooth but I could not really tell because I had no sound when I went to YouTube. I started by turning on half and then one by one I was turning on each one. Then YouTube worked sound wise, but it was still choppy. I went through this process twice thinking it was something in the Audio/Video codec or drivers. When I had all those disabled the second time around, I could not hear anything but I could see that the video was still "skippy" or chopp when playing. I don't really know what to do about that. It is frustrating because I know that in the future it will alwasy do this. Like I said, even the startup music is choppy and when I shut down or restart the sound is choppy so I know it is not YouTube!!! Computers are fun! You must have amazing patience! :)

Anyways, here is the ComboFix log:

ComboFix 11-05-29.01 - Elisha 05/30/2011 6:12.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1453 [GMT -4:00]
Running from: c:\documents and settings\Elisha\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-30 )))))))))))))))))))))))))))))))
.
.
2011-05-30 10:06 . 2011-05-30 10:06 -------- d-----w- c:\documents and settings\Elisha\Application Data\Avira
2011-05-29 18:33 . 2008-07-09 09:05 421888 ----a-w- c:\windows\system32\ac3filter.acm
2011-05-29 18:33 . 2011-05-29 18:33 -------- d-----w- c:\program files\XP Codec Pack
2011-05-29 02:32 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-05-29 02:32 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-05-29 02:32 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-05-29 02:32 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-05-28 23:09 . 2011-05-28 23:09 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-28 22:10 . 2011-05-28 22:10 -------- d-----w- c:\windows\nview
2011-05-28 02:40 . 2011-05-28 02:40 -------- d-----w- c:\program files\Avira
2011-05-28 02:40 . 2011-05-28 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-05-28 02:20 . 2011-05-28 23:07 -------- d-----w- c:\program files\SpywareBlaster
2011-05-28 02:17 . 2011-05-28 02:17 -------- d-----w- c:\program files\COMODO
2011-05-28 02:15 . 2011-05-30 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-05-27 20:46 . 2011-05-27 20:46 -------- d-----w- c:\program files\Common Files\Java
2011-05-27 20:45 . 2011-05-27 20:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-26 21:29 . 2011-05-26 21:29 -------- d-----w- C:\_OTM
2011-05-26 01:36 . 2011-05-26 01:36 -------- d-----w- c:\program files\ESET
2011-05-25 00:57 . 2011-05-28 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-05-25 00:57 . 2011-05-25 00:57 -------- d-----w- c:\program files\AVAST Software
2011-05-23 19:19 . 2011-05-23 19:19 -------- d-----w- c:\program files\FreeTime
2011-05-23 03:50 . 2011-05-23 03:50 -------- d-----w- c:\program files\CCleaner
2011-05-20 17:26 . 2011-05-20 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-17 01:11 . 2011-05-17 01:11 -------- d-----w- c:\program files\iPod
2011-05-17 01:11 . 2011-05-17 01:12 -------- d-----w- c:\program files\iTunes
2011-05-17 01:06 . 2011-05-17 01:06 -------- d-----w- c:\program files\Bonjour
2011-05-07 20:17 . 2011-05-07 20:17 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-05-03 00:36 . 2011-05-03 00:36 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-05-03 00:36 . 2011-05-03 00:36 242472 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-05-03 00:36 . 2011-05-03 00:36 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-05-03 00:36 . 2011-05-03 00:36 284744 ----a-w- c:\windows\system32\guard32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-27 20:44 . 2011-03-15 21:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-15 19:16 . 2009-10-19 13:31 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-29 17:09 . 2011-03-29 17:09 388096 ----a-r- c:\documents and settings\Elisha\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-18 18:32 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-05-26_00.15.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-30 00:01 . 2011-05-30 00:01 16384 c:\windows\temp\Perflib_Perfdata_570.dat
+ 2004-08-10 06:52 . 2004-08-10 06:52 49221 c:\windows\system32\rv40.dll
+ 2004-08-10 06:52 . 2004-08-10 06:52 49221 c:\windows\system32\rv30.dll
+ 2004-08-10 06:51 . 2004-08-10 06:51 57411 c:\windows\system32\rv20.dll
+ 2004-08-10 06:50 . 2004-08-10 06:50 49216 c:\windows\system32\rv10.dll
+ 2008-04-14 08:00 . 2011-05-28 19:55 68156 c:\windows\system32\perfc009.dat
- 2008-04-14 08:00 . 2011-03-15 21:57 68156 c:\windows\system32\perfc009.dat
+ 2008-12-17 17:22 . 2008-12-17 17:22 93184 c:\windows\system32\ff_wmv9.dll
+ 2008-12-17 17:22 . 2008-12-17 17:22 57344 c:\windows\system32\ff_vfw.dll
+ 2011-05-29 02:32 . 2010-06-17 19:27 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2004-08-10 06:50 . 2004-08-10 06:50 65602 c:\windows\system32\cook.dll
+ 2004-08-10 06:50 . 2004-08-10 06:50 77889 c:\windows\system32\atrc.dll
+ 2004-08-10 06:50 . 2004-08-10 06:50 106561 c:\windows\system32\sipr.dll
+ 2010-07-23 03:49 . 2011-05-28 23:11 292792 c:\windows\system32\Restore\rstrlog.dat
+ 2003-11-25 23:32 . 2003-11-25 23:32 123392 c:\windows\system32\pncrt.dll
- 2008-04-14 08:00 . 2011-03-15 21:57 435260 c:\windows\system32\perfh009.dat
+ 2008-04-14 08:00 . 2011-05-28 19:55 435260 c:\windows\system32\perfh009.dat
+ 2004-04-20 22:00 . 2004-04-20 22:00 172032 c:\windows\system32\OptimFROG.dll
+ 2008-12-17 16:59 . 2008-12-17 16:59 560802 c:\windows\system32\libmplayer.dll
+ 2011-05-27 20:45 . 2011-05-27 20:44 157472 c:\windows\system32\javaws.exe
- 2011-03-15 21:51 . 2011-02-03 01:40 157472 c:\windows\system32\javaws.exe
- 2011-03-15 21:51 . 2011-02-03 01:40 145184 c:\windows\system32\javaw.exe
+ 2011-05-27 20:45 . 2011-05-27 20:44 145184 c:\windows\system32\javaw.exe
+ 2011-05-27 20:45 . 2011-05-27 20:44 145184 c:\windows\system32\java.exe
- 2011-03-15 21:51 . 2011-02-03 01:40 145184 c:\windows\system32\java.exe
+ 2004-08-10 06:52 . 2004-08-10 06:52 241723 c:\windows\system32\hxltcolor.dll
+ 2008-12-17 17:41 . 2008-12-17 17:41 884237 c:\windows\system32\ff_x264.dll
+ 2008-12-17 17:17 . 2008-12-17 17:17 239247 c:\windows\system32\ff_theora.dll
+ 2004-10-03 17:50 . 2004-10-03 17:50 129024 c:\windows\system32\ff_mpeg2enc.dll
+ 2004-11-24 19:25 . 2004-11-24 19:25 335872 c:\windows\system32\drvc.dll
+ 2004-08-10 06:51 . 2004-08-10 06:51 176195 c:\windows\system32\drv2.dll
+ 2004-08-10 06:50 . 2004-08-10 06:50 102464 c:\windows\system32\drv1.dll
+ 2011-05-27 20:46 . 2011-05-27 20:46 180224 c:\windows\Installer\b35a3e.msi
+ 2011-05-27 20:43 . 2011-05-27 20:43 675840 c:\windows\Installer\b35a2e.msi
+ 2011-05-29 14:06 . 2011-05-29 14:06 245760 c:\windows\ERDNT\AutoBackup\5-29-2011\Users\00000002\UsrClass.dat
+ 2011-05-29 14:06 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-29-2011\ERDNT.EXE
+ 2011-05-28 19:47 . 2011-05-28 19:47 245760 c:\windows\ERDNT\AutoBackup\5-28-2011\Users\00000002\UsrClass.dat
+ 2011-05-27 20:54 . 2011-05-27 20:54 245760 c:\windows\ERDNT\AutoBackup\5-27-2011\Users\00000002\UsrClass.dat
+ 2011-05-27 20:54 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-27-2011\ERDNT.EXE
+ 2011-05-26 20:44 . 2011-05-26 20:44 245760 c:\windows\ERDNT\AutoBackup\5-26-2011\Users\00000002\UsrClass.dat
+ 2011-05-26 20:44 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-26-2011\ERDNT.EXE
+ 2009-06-24 14:39 . 2009-06-24 14:39 1003520 c:\windows\system32\VSFilter.dll
+ 2009-06-11 16:14 . 2008-04-14 09:42 4274816 c:\windows\system32\nv4_disp(7).dll
+ 2009-06-11 16:14 . 2008-04-14 09:42 4274816 c:\windows\system32\nv4_disp(6).dll
+ 2009-06-11 16:14 . 2008-04-14 09:42 4274816 c:\windows\system32\nv4_disp(5).dll
+ 2009-06-11 16:14 . 2008-04-14 09:42 4274816 c:\windows\system32\nv4_disp(4).dll
+ 2009-06-11 16:14 . 2008-04-14 09:42 4274816 c:\windows\system32\nv4_disp(3).dll
+ 2008-12-19 15:15 . 2008-12-19 15:15 4338246 c:\windows\system32\libavcodec.dll
+ 2011-05-29 23:56 . 2011-05-29 23:56 3424768 c:\windows\Installer\21dc937.msi
+ 2011-05-28 02:15 . 2011-05-28 02:15 29083648 c:\windows\Installer\12a8a25.msi
+ 2011-05-29 14:06 . 2011-05-29 14:06 11333632 c:\windows\ERDNT\AutoBackup\5-29-2011\Users\00000001\NTUSER.DAT
+ 2011-05-28 19:47 . 2011-05-28 19:47 11333632 c:\windows\ERDNT\AutoBackup\5-28-2011\Users\00000001\NTUSER.DAT
+ 2011-05-27 20:54 . 2011-05-27 20:54 11333632 c:\windows\ERDNT\AutoBackup\5-27-2011\Users\00000001\NTUSER.DAT
+ 2011-05-26 20:44 . 2011-05-26 20:44 11333632 c:\windows\ERDNT\AutoBackup\5-26-2011\Users\00000001\NTUSER.DAT
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]
"ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2009-08-25 37232]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-10 2552648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\Elisha\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Marketsplash Print Software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Marketsplash Print Software.lnk
backup=c:\windows\pss\Marketsplash Print Software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printkey2000.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk
backup=c:\windows\pss\Printkey2000.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-06-10 00:55 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 17:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [5/2/2011 8:36 PM 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [5/2/2011 8:36 PM 29400]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/28/2011 10:32 PM 136360]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CMDAGENT
*NewlyCreated* - CMDGUARD
*NewlyCreated* - CMDHLP
*NewlyCreated* - INSPECT
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-07-18 22:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003Core.job
- c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
.
2011-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003UA.job
- c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
.
2011-05-30 c:\windows\Tasks\User_Feed_Synchronization-{D6CA2E92-1012-45B4-8083-12DDB7804433}.job
- c:\windows\system32\msfeedssync.exe [2008-07-12 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Elisha\Application Data\Mozilla\Firefox\Profiles\4f4w6oap.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-30 06:23
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'lsass.exe'(868)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3112)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2011-05-30 06:29:20
ComboFix-quarantined-files.txt 2011-05-30 10:28
ComboFix2.txt 2011-05-26 20:56
ComboFix3.txt 2011-05-26 00:22
.
Pre-Run: 73,760,169,984 bytes free
Post-Run: 73,755,271,168 bytes free
.
- - End Of File - - 94A9A69663E76C33D27963AE6D7FFCB3
 
I think you may have misunderstood my reason for your trip into the Device Manager. It was to look for errors in the drivers. Then if found, attempt driver update first- not disable!

Of course you won't get any sound with all of the sound drivers disabled. Did you find any Errors, as described, in the Device Manager? If Yes, what were the errors on?

Like I said, even the startup music is choppy and when I shut down or restart the sound is choppy so I
So any sound from either the internet of the computer itself is scratchy This is pointing to a bad sound card.
As for the video problem: Have you tried viewing a video on another site other than YouTube? They do have problems occasionally.Are you associating 'choppy' with sound and video together, or separately. Meaning, if the sound is completely disabled (right click on Sound icon in Notification Area> Check Mute[)/b] does video play smoothly

The Combofix log is for me to look for any left-over entries for the programs you have unchecked on the Startup Menu. Did you just check the processes I listed- no uninstalls, right?
 
Sound/Video and Startup

Ok,

When starting everything seems to be fine other than the sound is choppy. Whether I play music on the computer, the start up sound or videos it is doing it. It is the video along with the audio, it's as if something is "lagging" or running slow. It was fine before I clean it up. If I disable all the sound options, videos are still "choppy" or "lagging" a bit. I'm not sure what the deal would be. Would it be bad to uninstall and reinstall all audio/video related drivers and codecs or do you think it is something else?

As far as the start up, I did not uninstall or delete anything. I just uncheck what you suggested and then at the restart I check the box that I wanted to continue in the mode where I selected what I wanted to start and to not show me the message again. I just checked msconfig again and they are still all unchecked. However it seems like the java one keeps checking itself back. I've checked twice and after restarts it seems to be checked but the rest are still unchecked. I'll just keep un-checking every time I start, I'll keep an eye on that one.

The computer and internet seem to be running good. The search is working like it should and I appreciate it a lot. This computer is still running pretty awesome for the year but I have to expect that things can go wrong with it's age as well.
 
For Java: Control Panel> Java> Update tab> Uncheck 'check automatically for updates> Click on Yes to confirm> Apply> OK
==================================
You now have 2 antivirus programs on the system:
2011-05-28 02:40 -------- d-----w- c:\program files\Avira
2011-05-25 00:57 -------- d-----w- c:\program files\AVAST Software
If you plan to reinstall AVG when we finish, you can uninstall both
====================================
Use the msconfig utility to uncheck any processes from the Startup menu that doesn't need to start on boot and run in the background. Uninstall any programs you are no longer using.
======================================
When you have finished the above, Please update and rescan with Combofix.

Tell me which of the programs in my quote box you have taken off of the Startup men and which, if any, you have uninstalled. Then I will remove any 'left over' files or drivers and we will finish up.
=====================================
As for the audio/video problems, that's not in my area of knowledge. Please start a thread in the Hardware or Sound forum for those problems.
 
ComboFix

Ok,

In start up I disabled RIM Auto Update and Google Update.

I uninstalled the following programs:
Acrobat.com
Apple Mobile
Apple App Support
Blackberry Desktop 5.0.1 and 6.0
K-Lite Codec Pack
Skype
Skype 4.1
XP Codec Pack
MyDSC2 (What is this)? I read it might be something for my digital camera???

Here is my newest ComboFix Log:

ComboFix 11-06-04.02 - Elisha 06/03/2011 20:59:11.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1490 [GMT -4:00]
Running from: c:\documents and settings\Elisha\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-04 to 2011-06-04 )))))))))))))))))))))))))))))))
.
.
2011-06-04 00:47 . 2011-06-04 00:47 -------- d-----w- c:\windows\LastGood
2011-05-30 10:06 . 2011-05-30 10:06 -------- d-----w- c:\documents and settings\Elisha\Application Data\Avira
2011-05-29 02:32 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-05-29 02:32 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-05-29 02:32 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-05-29 02:32 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-05-28 23:09 . 2011-05-28 23:09 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-28 22:10 . 2011-05-28 22:10 -------- d-----w- c:\windows\nview
2011-05-28 02:40 . 2011-05-28 02:40 -------- d-----w- c:\program files\Avira
2011-05-28 02:40 . 2011-05-28 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-05-28 02:20 . 2011-05-28 23:07 -------- d-----w- c:\program files\SpywareBlaster
2011-05-28 02:17 . 2011-05-28 02:17 -------- d-----w- c:\program files\COMODO
2011-05-28 02:15 . 2011-05-30 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-05-27 20:46 . 2011-05-27 20:46 -------- d-----w- c:\program files\Common Files\Java
2011-05-27 20:45 . 2011-05-27 20:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-26 21:29 . 2011-05-26 21:29 -------- d-----w- C:\_OTM
2011-05-26 01:36 . 2011-05-26 01:36 -------- d-----w- c:\program files\ESET
2011-05-25 00:57 . 2011-05-28 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-05-23 19:19 . 2011-05-23 19:19 -------- d-----w- c:\program files\FreeTime
2011-05-23 03:50 . 2011-05-23 03:50 -------- d-----w- c:\program files\CCleaner
2011-05-20 17:26 . 2011-05-20 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-17 01:11 . 2011-05-17 01:11 -------- d-----w- c:\program files\iPod
2011-05-17 01:11 . 2011-05-17 01:12 -------- d-----w- c:\program files\iTunes
2011-05-17 01:06 . 2011-05-17 01:06 -------- d-----w- c:\program files\Bonjour
2011-05-07 20:17 . 2011-05-07 20:17 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-27 20:44 . 2011-03-15 21:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-15 19:16 . 2009-10-19 13:31 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-05-03 00:36 . 2011-05-03 00:36 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-05-03 00:36 . 2011-05-03 00:36 242472 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-05-03 00:36 . 2011-05-03 00:36 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-05-03 00:36 . 2011-05-03 00:36 284744 ----a-w- c:\windows\system32\guard32.dll
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-29 17:09 . 2011-03-29 17:09 388096 ----a-r- c:\documents and settings\Elisha\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-18 18:32 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot_2011-05-30_10.24.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-04 00:30 . 2011-06-04 00:30 16384 c:\windows\temp\Perflib_Perfdata_2e8.dat
- 2008-04-14 09:42 . 2008-04-14 05:12 23552 c:\windows\system32\wdmaud.drv
+ 2008-04-14 09:42 . 2008-04-14 13:42 23552 c:\windows\system32\wdmaud.drv
- 2008-04-14 04:15 . 2008-04-13 23:45 49408 c:\windows\system32\drivers\stream.sys
+ 2008-04-14 04:15 . 2008-04-14 08:15 49408 c:\windows\system32\drivers\stream.sys
+ 2009-06-12 00:53 . 2008-04-14 08:15 60160 c:\windows\system32\drivers\drmk.sys
- 2009-06-12 00:53 . 2008-04-13 23:45 60160 c:\windows\system32\drivers\drmk.sys
- 2008-04-14 09:42 . 2008-04-14 05:12 23552 c:\windows\system32\dllcache\wdmaud.drv
+ 2008-04-14 09:42 . 2008-04-14 13:42 23552 c:\windows\system32\dllcache\wdmaud.drv
+ 2008-04-14 04:15 . 2008-04-14 08:15 49408 c:\windows\system32\dllcache\stream.sys
- 2008-04-14 04:15 . 2008-04-13 23:45 49408 c:\windows\system32\dllcache\stream.sys
- 2009-06-12 00:53 . 2008-04-13 23:45 60160 c:\windows\system32\dllcache\drmk.sys
+ 2009-06-12 00:53 . 2008-04-14 08:15 60160 c:\windows\system32\dllcache\drmk.sys
+ 2011-06-04 00:47 . 2008-04-14 05:12 23552 c:\windows\LastGood\system32\wdmaud.drv
+ 2011-06-04 00:47 . 2008-04-13 23:45 49408 c:\windows\LastGood\system32\drivers\stream.sys
+ 2011-06-04 00:47 . 2008-04-13 23:45 60160 c:\windows\LastGood\system32\drivers\drmk.sys
+ 2004-09-07 17:47 . 2004-09-07 17:47 57344 c:\windows\ALCXMNTR.EXE
- 2009-06-12 00:53 . 2004-09-07 09:17 57344 c:\windows\ALCXMNTR.EXE
+ 2009-06-12 00:53 . 2008-04-14 13:41 4096 c:\windows\system32\ksuser.dll
- 2009-06-12 00:53 . 2008-04-14 05:11 4096 c:\windows\system32\ksuser.dll
+ 2009-06-12 00:53 . 2008-04-14 13:41 4096 c:\windows\system32\dllcache\ksuser.dll
- 2009-06-12 00:53 . 2008-04-14 05:11 4096 c:\windows\system32\dllcache\ksuser.dll
+ 2011-06-04 00:47 . 2008-04-14 05:11 4096 c:\windows\LastGood\system32\ksuser.dll
+ 2003-11-25 23:32 . 2002-12-06 06:02 272896 c:\windows\system32\pncrt.dll
+ 2009-06-12 00:53 . 2008-04-14 08:49 146048 c:\windows\system32\drivers\portcls.sys
- 2009-06-12 00:53 . 2008-04-14 00:19 146048 c:\windows\system32\drivers\portcls.sys
+ 2008-04-14 04:46 . 2008-04-14 08:46 141056 c:\windows\system32\drivers\ks.sys
- 2008-04-14 04:46 . 2008-04-14 09:46 141056 c:\windows\system32\drivers\ks.sys
- 2009-06-12 00:53 . 2008-04-14 00:19 146048 c:\windows\system32\dllcache\portcls.sys
+ 2009-06-12 00:53 . 2008-04-14 08:49 146048 c:\windows\system32\dllcache\portcls.sys
+ 2008-04-14 04:46 . 2008-04-14 08:46 141056 c:\windows\system32\dllcache\ks.sys
- 2008-04-14 04:46 . 2008-04-14 09:46 141056 c:\windows\system32\dllcache\ks.sys
+ 2011-06-04 00:47 . 2008-04-14 00:19 146048 c:\windows\LastGood\system32\drivers\portcls.sys
+ 2011-06-04 00:47 . 2008-04-14 09:46 141056 c:\windows\LastGood\system32\drivers\ks.sys
+ 2011-06-03 23:30 . 2011-06-03 23:30 245760 c:\windows\ERDNT\AutoBackup\6-3-2011\Users\00000002\UsrClass.dat
+ 2011-06-03 23:30 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\6-3-2011\ERDNT.EXE
+ 2004-10-01 14:24 . 2004-10-01 14:24 2279424 c:\windows\system32\drivers\ALCXWDM.SYS
- 2009-06-12 00:53 . 2004-10-01 05:54 2279424 c:\windows\system32\drivers\ALCXWDM.SYS
+ 2011-06-03 23:30 . 2011-06-03 23:30 11317248 c:\windows\ERDNT\AutoBackup\6-3-2011\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]
"ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2009-08-25 37232]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-10 2552648]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\Elisha\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Marketsplash Print Software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Marketsplash Print Software.lnk
backup=c:\windows\pss\Marketsplash Print Software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printkey2000.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk
backup=c:\windows\pss\Printkey2000.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-12-09 01:02 136176 ----atw- c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-06-10 00:55 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 17:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [5/2/2011 8:36 PM 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [5/2/2011 8:36 PM 29400]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/28/2011 10:32 PM 136360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-07-18 22:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003Core.job
- c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
.
2011-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003UA.job
- c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
.
2011-06-04 c:\windows\Tasks\User_Feed_Synchronization-{D6CA2E92-1012-45B4-8083-12DDB7804433}.job
- c:\windows\system32\msfeedssync.exe [2008-07-12 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Elisha\Application Data\Mozilla\Firefox\Profiles\4f4w6oap.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-03 21:09
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'lsass.exe'(852)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3044)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2011-06-03 21:14:32
ComboFix-quarantined-files.txt 2011-06-04 01:14
ComboFix2.txt 2011-05-30 10:29
ComboFix3.txt 2011-05-26 20:56
ComboFix4.txt 2011-05-26 00:22
.
Pre-Run: 73,605,574,656 bytes free
Post-Run: 73,607,708,672 bytes free
.
- - End Of File - - 6EFF0FD0D6B46E42B41CF08A221D355E
 
Okay, I don't see any entries remaining for the programs you uninstalled. If you will run HijackThis, I can check that log to make sure no entries remain:
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
=============================================
I do advise that this search keyword be removed and reset back to Google or other reliable search engine. This one appears to be 'ad. friendly' and most times, not put on intentionally by the use Some users also had a difficult time resetting this.:
search.search-star.net
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
Easiest way to do that:
  • Open Firefox> type about:config in the Address bar> Enter
  • Click on "I will be carefull i promise"
  • Type keyboard.url in the Filter box> Enter 3: then write 'keyword.url' in the filter and hit enter 4:
    [*] Tight click on it and select modify
    [*] Paste http://www.google.com/search?hl=en&source=hp&biw=957&bih=456&q=> Enter
    [*] Restart Firefox to make the change.

===============================
Has the redirect been resolved. Is there any other malware related problem?
 
HiJackThis Log

I ran HiJackThis.

I did have trouble with the firefox fix.
The 3 bullet you had said;
Type keyboard.url in the Filter box> Enter 3: then write 'keyword.url' in the filter and hit enter 4:

I was confused with this. I entered the keyboard.url but nothing came up. Little confused i guess.


HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:07:27 PM, on 6/9/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\WINDOWS\ASScrProlog.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNjA2Nzk5OTgyLUJBKzEtS1YzKzctWEwrMS1UMy1GUDkrNi1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWDIwMTArMi1GMTBNMTBEKzEtTElDKzc3LUZMMTArMS1TUDErMS1TUDFUQisxLVNVRCsxLVMxSSsxLVNVMysx"&"prod=90"&"ver=10.0.1375
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10l_Plugin.exe -update plugin
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX Control) - http://www.samsungdp.com/printerhelp/ActiveX/DrPrinter.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://imageupload8.autorevo.com/Cabs/ImageUploader5.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} (Java Plug-in 1.6.0_24) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://officedepotwebcafe.webex.com/client/wbs27-vzbprodcn/webex/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9394 bytes
 
Type keyboard.url in the Filter box> Enter 3: then write 'keyword.url' in the filter and hit enter 4:
I was confused with this. I entered the keyboard.url but nothing came up. Little confused i guess.

Did you press Enter?
======================================
Please reopen HijackThis to 'do system scan only.'. Check each of the following if found:

O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: (no name) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNjA2Nzk 5OTgyLUJBKzEtS1YzKzctWEwrMS1UMy1GUDkrNi1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWD IwMTArMi1GMTBNMTBEKzEtTElDKzc3LUZMMTArMS1TUDErMS1TUDFUQisxLVNVRCsxLVMxSSsxL VNVMysx"&"prod=90"&"ver=10.0.1375
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} (Java Plug-in 1.6.0_24) -
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


Close all Windows except HijackThis and click on "Fix Checked."
============================
Click on Start> Run> type in services.msc> Enter> Double click on each of the Services below and set as instructed:
iPod Service> Set Startup type to Manual
NMIndexing> Set Startup Type to Manual
Java Quick Starter (jqs)> Set Startup type to Disabled> Stop the Service.
Exit Services

============================
I'd like to run catchme to check something out:
catchme is the rootkit/stealth malware scanner that scans for:
  • hidden processes
  • hidden registry keys
  • hidden services
  • hidden files
catchme can also delete, destroy and collect malicious files.

Download catchme.exe ( 137KB ) and save to your desktop.
  • Double click the catchme.exe to run it
  • Click the "Scan" button to start scan
  • Open catchme.log to see results

Copy the log to Notepad, making sure that 'Word Wrap' is unchecked in Format. Then paste the log in your next reply.
 
Catchme Log

Ok, figured out the firefox thing. Only problem, I've done it twice, modifiying to "google" but then when it restarts firefox and I check it, it is back to the "search-star". Not sure why?

I fixed all the HiJack things and restarted.

Here is the Catchme Log:

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-14 12:01:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
 
Open Firefox
Go to this web page: https://addons.mozilla.org/en-US/firefox/addon/blocksite/
Download addon called Block Site
Close, them reopen Firefox
Find where the sites are blocked and type this in search.search-star.net> Block
(This is from others who couldn't remove this search.
Reboot computer.

Your system is clean.
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin
 
Status
Not open for further replies.
Back