TechSpot

Cannot get rid of "Redirect Virus"

Solved
By computernerd180
May 23, 2011
Topic Status:
Not open for further replies.
  1. I've ran several scans. Malwarebytes, SUPERAntiVirus, and AVG 2011. Malware and AVG find nothing. SUPERAntiVirus (I'm not sure if I like), found 92 but didn't fix. Anytime I've run it after, it continually finds 22 and says it fixes but they are always there. Internet is running slow and search results don't work most of the time! Please help, I have no clue how to fix this and need some great expertise!!!

    Malwarebytes log:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6610

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    5/23/2011 1:47:36 AM
    mbam-log-2011-05-23 (01-47-36).txt

    Scan type: Full scan (C:\|H:\|)
    Objects scanned: 280387
    Time elapsed: 1 hour(s), 37 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    AVG Log:

    Scan "Scheduled scan" completed.
    No infection was found during this scan
    Folders selected for scanning:;"Whole computer scan"
    Scan started:;"Monday, May 23, 2011, 6:11:55 AM"
    Scan finished:;"Monday, May 23, 2011, 7:05:28 AM (53 minute(s) 32 second(s))"
    Total object scanned:;"1163948"
    User who launched the scan:;"SYSTEM"

    SUPERAnitSpyware Log:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 05/22/2011 at 08:15 PM

    Application Version : 4.52.1000

    Core Rules Database Version : 6999
    Trace Rules Database Version: 4811

    Scan type : Complete Scan
    Total Scan Time : 00:58:39

    Memory items scanned : 492
    Memory threats detected : 0
    Registry items scanned : 8666
    Registry threats detected : 0
    File items scanned : 22364
    File threats detected : 23

    Adware.Tracking Cookie
    C:\Documents and Settings\Elisha\Cookies\elisha@content.yieldmanager[3].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@pointroll[1].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@ad.yieldmanager[1].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@ads.undertone[1].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@casalemedia[1].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@trafficmp[1].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@content.yieldmanager[2].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@ads.lycos[1].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@classmates.112.2o7[1].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@burstnet[3].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@a1.interclick[1].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@specificclick[2].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@ad.wsod[2].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@adserver.adtechus[1].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@tribalfusion[1].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@serving-sys[2].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@zedo[2].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@traffic.prod.cobaltgroup[1].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@media6degrees[1].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@ads.pointroll[2].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@advertising[3].txt
    C:\Documents and Settings\Elisha\Cookies\elisha@ad.yieldmanager[2].txt

    Adware.CouponBar
    C:\WINDOWS\CPNPRT2.CID


    Any help would be appreciated. I am so lost. It just seems like I've tried everything I know how and cannot beat this! Thanks.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! It's more helpful to 'get rid' of a redirect when you know what's causing it!


    Please follow the additional steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. computernerd180

    computernerd180 Newcomer, in training Topic Starter

    Malwarebytes, GMER, DDS and Attach logs

    Here are all the logs I ran. Sorry for the delay. We got slammed with massive winds and were out of power for several hours last night. Thanks again.

    Malwarebytes log:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6657

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/23/2011 4:29:46 PM
    mbam-log-2011-05-23 (16-29-46).txt

    Scan type: Quick scan
    Objects scanned: 167489
    Time elapsed: 6 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER Log:

    GMER 1.0.15.15627 - http://www.gmer.net
    Rootkit scan 2011-05-24 14:52:58
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SP1604N rev.TM100-24
    Running: lv0stpuq.exe; Driver: C:\DOCUME~1\Elisha\LOCALS~1\Temp\agrdafoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF7730738]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF77307DC]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF7730878]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF7730914]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    ---- Registry - GMER 1.0.15 ----

    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38A1A3F4-95FF-1D4A-F69C-AEFBA5D8A524}
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38A1A3F4-95FF-1D4A-F69C-AEFBA5D8A524}@iagegngbfbpkdnpaii 0x6A 0x61 0x6C 0x6D ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38A1A3F4-95FF-1D4A-F69C-AEFBA5D8A524}@haehnpmmnikkhkpk 0x6A 0x61 0x6C 0x6D ...

    ---- EOF - GMER 1.0.15 ----

    DDS Log:

    .
    DDS (Ver_11-05-19.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Run by Elisha at 15:05:05 on 2011-05-24
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1149 [GMT -4:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
    C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Marketsplash by HP\HPLocalWebPrintAgent.exe
    svchost.exe
    C:\Program Files\PrintKey2000\Printkey2000.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Elisha\My Documents\Downloads\dds.scr
    C:\WINDOWS\system32\WSCRIPT.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    uRun: [cdloader] "c:\documents and settings\elisha\application data\mjusbsp\cdloader2.exe" MAGICJACK
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Google Update] "c:\documents and settings\elisha\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [fxHelpdrv] rundll32.exe "c:\documents and settings\elisha\local settings\application data\directcrtlib\fxHelpdrv.dll",smpMapARM WinMobileCres
    mRun: [AlcxMonitor] ALCXMNTR.EXE
    mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
    mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
    mRun: [ASUS Camera ScreenSaver] c:\windows\ASScrProlog.exe
    mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
    mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
    StartupFolder: c:\docume~1\elisha\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\market~1.lnk - c:\program files\hewlett-packard\marketsplash by hp\HPLocalWebPrintAgent.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
    DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} - hxxp://www.samsungdp.com/printerhelp/ActiveX/DrPrinter.cab
    DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://imageupload8.autorevo.com/Cabs/ImageUploader5.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://officedepotwebcafe.webex.com/client/wbs27-vzbprodcn/webex/ieatgpc.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\elisha\application data\mozilla\firefox\profiles\4f4w6oap.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
    FF - prefs.js: network.proxy.type - 4
    FF - component: c:\documents and settings\elisha\application data\mozilla\firefox\profiles\4f4w6oap.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
    FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\documents and settings\elisha\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
    FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: vShare: vshareus@toolbar - %profile%\extensions\vshareus@toolbar
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.selectedEngine - Google
    FF - user.js: browser.search.order.1 - Google
    FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-1-26 88176]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
    S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys --> c:\windows\system32\drivers\ANDROIDUSB.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-05-23 19:19:28 -------- d-----w- c:\program files\FreeTime
    2011-05-23 17:52:16 -------- d-----w- c:\program files\LimeWire
    2011-05-23 03:50:31 -------- d-----w- c:\program files\CCleaner
    2011-05-20 17:26:27 -------- d-----w- c:\documents and settings\elisha\application data\SUPERAntiSpyware.com
    2011-05-20 17:26:27 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2011-05-20 17:26:14 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-05-17 01:11:11 -------- d-----w- c:\program files\iPod
    2011-05-17 01:11:06 -------- d-----w- c:\program files\iTunes
    2011-05-17 01:06:31 -------- d-----w- c:\program files\Bonjour
    .
    ==================== Find3M ====================
    .
    2011-05-15 19:16:12 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    2011-04-15 01:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
    2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2011-04-05 04:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2011-03-29 17:08:28 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-03-18 18:32:10 71072 ----a-w- c:\windows\CouponPrinter.ocx
    2011-03-16 20:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    .
    ============= FINISH: 15:05:38.25 ===============

    Attach Log:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-05-19.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/11/2009 7:36:48 PM
    System Uptime: 5/24/2011 9:15:37 AM (6 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | Explorer4
    Processor: AMD Athlon(tm) XP 3200+ | Socket A | 2191/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 145 GiB total, 69.6 GiB free.
    D: is Removable
    E: is Removable
    H: is FIXED (FAT32) - 4 GiB total, 0.52 GiB free.
    J: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
    Description: USB Mass Storage Device
    Device ID: USB\VID_058F&PID_9360\9205291
    Manufacturer: Compatible USB storage device
    Name: USB Mass Storage Device
    PNP Device ID: USB\VID_058F&PID_9360\9205291
    Service: USBSTOR
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: NVIDIA nForce MCP Networking Controller
    Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_80A71043&REV_A1\3&267A616A&0&20
    Manufacturer: Nvidia
    Name: NVIDIA nForce MCP Networking Controller
    PNP Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_80A71043&REV_A1\3&267A616A&0&20
    Service: NVENET
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Gigabyte GN-WP01GS PCI WLAN Card(Turbo)
    Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_E9341458&REV_00\4&2C03473B&0&3840
    Manufacturer: Gigabyte Technology Corp.
    Name: Gigabyte GN-WP01GS PCI WLAN Card(Turbo)
    PNP Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_E9341458&REV_00\4&2C03473B&0&3840
    Service: RT61
    .
    ==== System Restore Points ===================
    .
    RP1: 5/22/2011 11:52:09 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    7-Zip 4.65
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.4
    Aneesoft Free BlackBerry Video Converter
    AnswerWorks 5.0 English Runtime
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Asus_LCD_ScreenSaver
    AttachmentOptions
    AVG 2011
    BitTorrent
    BlackBerry Desktop Software 5.0.1
    BlackBerry Desktop Software 6.0
    Bonjour
    BurnAware Free 3.0.1
    CCleaner
    Coupon Printer for Windows
    Debut Video Capture Software
    Easy DVD Creator 2.0.17
    ERUNT 1.1j
    Eyles 15e
    FormatFactory 2.60
    Free RAR Extract Frog
    FrostWire 4.20.6
    Google Chrome
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Memories Disc
    HP Officejet Pro 8500 A910 Basic Device Software
    HP Officejet Pro 8500 A910 Help
    HP Photo and Imaging 2.0 - All-in-One
    HP Photo and Imaging 2.0 - All-in-One Drivers
    HP Photo and Imaging 2.0 - hp psc 1200 series
    hp psc 1200 series
    HP Update
    I.R.I.S. OCR
    Image Resizer Powertoy for Windows XP
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 24
    K-Lite Codec Pack 6.0.0 (Basic)
    LifeFrame2
    LightScribe 1.8.15.1
    LimeWire 5.6.2
    Macromedia Dreamweaver 8
    Macromedia Dreamweaver MX
    Macromedia Extension Manager
    Macromedia Fireworks 8
    Macromedia Fireworks MX
    Macromedia Flash 8
    Macromedia Flash 8 Video Encoder
    Macromedia Flash MX
    magicJack
    Malwarebytes' Anti-Malware
    Marketsplash Print Software
    Marketsplash Shortcuts
    McAfee SiteAdvisor
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.17)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Multimedia Card Reader
    MyDSC2
    Nero 7 Essentials
    neroxml
    Network Print Monitor for Windows 2000/XP/2003
    NVIDIA Ethernet Driver
    OpenMG Limited Patch 4.0-04-07-14-01
    OpenMG Secure Module 4.0.00
    PrimoPDF
    PrimoPDF -- brought to you by Nitro PDF Software
    PrimoPDF Redistribution Package
    PrintKey2000
    Quicken 2010
    QuickTime
    Reach PN Studyware CD
    Realtek AC'97 Audio
    Roxio Media Manager
    Samsung CLP-310 Series
    SAMSUNG Dr. Printer
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB2288953)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Skype web features
    Skype™ 4.1
    SmartFTP Client 2.0
    SmartFTP Client 2.0 Setup Files (remove only)
    SonicStage 2.1.00
    Spybot - Search & Destroy
    SUPERAntiSpyware
    Turbo Lister 2
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Outlook 2007 Junk Email Filter (KB2443839)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VideoPad Video Editor
    vShare Plugin
    WebEx
    WebFldrs XP
    Windows Internet Explorer 8
    WinFF 1.3.1
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/24/2011 9:47:57 AM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
    5/24/2011 9:47:22 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    5/23/2011 12:08:49 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    5/22/2011 7:12:25 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
    5/22/2011 7:12:25 PM, error: Service Control Manager [7000] - The SSPORT service failed to start due to the following error: The system cannot find the file specified.
    5/22/2011 6:11:41 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Avgldx86 Avgmfx86 Fips SASDIFSV SASKUTIL
    5/22/2011 11:58:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
    5/22/2011 11:56:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 Avgldx86 Avgmfx86 Avgtdix Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
    5/22/2011 11:56:00 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    5/22/2011 11:56:00 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/22/2011 11:56:00 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/22/2011 11:56:00 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    5/22/2011 11:56:00 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/22/2011 11:56:00 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/22/2011 11:55:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    5/22/2011 11:55:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    5/20/2011 4:32:34 PM, error: System Error [1003] - Error code 10000050, parameter1 e3f7101c, parameter2 00000000, parameter3 bf83cfda, parameter4 00000001.
    .
    ==== End Of File ===========================
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    P2P or 'file sharing' Warning:
    You are using 3 file sharing programs:
    BitTorrent
    FrostWire 4.20.6
    LimeWire 5.6.2

    As long as you use these programs, you can expect to get malware on your system. I strongly recommend that you uninstall then because:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    ==========================================
    If you choose note to uninstall the file sharing programs, please disable them and do not use them or accept downloads while I am helping you.
    ==========================================
    Questions and Comments:
    1). You are using 2 Site Advisors: McAfee and AVG. Suggest you remove one of them.
    2). Are you using the Google Android USB Driver now?
    3). Are you using SSPORT.sys 32bit Port Contention Driver from Samsung Electronics now?
    4). Did the redirect problem start before or after the following programs were installed?
    5/23/2011
    5/20/2011
    5/17/2011
    Did you download them from any file sharing programs or sites?
    5). Please uninstall HitmanPro35: It is only a bundle of free programs that can be found on the internet. The difference is that Hitman will only 'fix' or remove during the Trial Period, free. After that, you have to pay for the program. Whereas all of the programs in the bundle are fully functional and free, always.
    ===============================================
    You will have to uninstall AVG to run Combofix:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    . The download the current version and do the scan:
    Uninstall directions if needed:
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =======================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    Please leave all logs in next reply.
  5. computernerd180

    computernerd180 Newcomer, in training Topic Starter

    Here you go...

    Ok, here is what was done.

    Uninstalled, Bittorrent, Frostwire and Limeware. I understand the cause for concern with these and it makes sense so they are GONE!!! Thanks!

    I am not using Google Android USB Driver and am not sure even what that would be on there for. I've never had an Android phone.

    Also SSPORT.sys 32bit Port Contention Driver from Samsung Electronics isn't being used. I'm not sure what that is. I use to have a Samsung printer but I do not anymore. Not sure if this driver is associated with that printer or not?

    The "redirect" has been here before any of the programs you listed. It was definitely here before the 17th!
    5/23/2011
    Quote:
    c:\program files\FreeTime
    c:\program files\LimeWire
    c:\program files\CCleane
    5/20/2011
    Quote:
    c:\program files\SUPERAntiSpyware
    5/17/2011
    Quote:
    c:\program files\iPod
    c:\program files\iTunes
    c:\program files\Bonjour

    I went to uninstall HitmanPro but it was not listed as an installed program. I think I may have uninstalled it a while back. I did find the folder under program files and deleted it.

    I uninstalled AVG and Installed Avast as you suggested. I was kind of confused in doing this. When Avast installed it suggested a scan which I did. It found a couple things and removed them. Then it suggested to restart the system so it could scan the computer before windows starts. It stayed on this scan for hours. It found some corrupted music files which I told it to delete. Then it showed me a bunch of .sys files which I did not delete. It made me fell uncomfortable to be getting rid of those. I aborted the scan and went straight to the ComboFix scan. I not sure if I was suppose to even do the scan but Avast acted like it wanted to so I let it!!!!

    Could not find the Avast log but these are in the Virus Chest:

    A0001735.dll
    C:\System Volume Information\_restore{D13FE2CF-60D8-4A9F-8651-658F754CA8FE}\RP5
    Win32:Mal0b-FH [Cryp]

    fxHelpdrv.dll
    C:\Documents and Settings\Elisha\Local Settings\Application Data\Directcrtlib
    Win32:Mal0b-FH [Cryp]

    Uninstalled and reinstalled ComboFix.

    ComboFix Log:
    ComboFix 11-05-25.01 - Elisha 05/25/2011 20:00:40.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1399 [GMT -4:00]
    Running from: c:\documents and settings\Elisha\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-26 to 2011-05-26 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-25 01:00 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-05-25 01:00 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-25 00:59 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-25 00:59 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-25 00:59 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-25 00:59 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-05-25 00:59 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-05-25 00:59 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-05-25 00:58 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-25 00:58 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-25 00:57 . 2011-05-25 00:57 -------- d-----w- c:\program files\AVAST Software
    2011-05-25 00:57 . 2011-05-25 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-05-23 19:19 . 2011-05-23 19:19 -------- d-----w- c:\program files\FreeTime
    2011-05-23 17:52 . 2011-05-24 23:54 -------- d-----w- c:\program files\LimeWire
    2011-05-23 03:50 . 2011-05-23 03:50 -------- d-----w- c:\program files\CCleaner
    2011-05-20 17:26 . 2011-05-20 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-05-17 01:11 . 2011-05-17 01:11 -------- d-----w- c:\program files\iPod
    2011-05-17 01:11 . 2011-05-17 01:12 -------- d-----w- c:\program files\iTunes
    2011-05-17 01:06 . 2011-05-17 01:06 -------- d-----w- c:\program files\Bonjour
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-15 19:16 . 2009-10-19 13:31 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2011-03-29 17:09 . 2011-03-29 17:09 388096 ----a-r- c:\documents and settings\Elisha\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-03-29 17:08 . 2010-04-21 03:27 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-03-18 18:32 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Elisha\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
    "Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]
    "Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-08 524288]
    "ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2009-08-25 37232]
    "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_2"="shell32" [X]
    .
    c:\documents and settings\Elisha\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
    hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
    Marketsplash Print Software.lnk - c:\program files\Hewlett-Packard\Marketsplash by HP\HPLocalWebPrintAgent.exe [2010-10-11 93752]
    Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-6-12 869376]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
    "c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    "c:\\Documents and Settings\\Elisha\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/24/2011 8:59 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/24/2011 9:00 PM 307928]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/24/2011 9:00 PM 19544]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
    S3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys --> c:\windows\system32\Drivers\ANDROIDUSB.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ASWSNX
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-07-18 22:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:04]
    .
    2010-07-17 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8271031119.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
    .
    2011-05-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003Core.job
    - c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
    .
    2011-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003UA.job
    - c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
    .
    2011-05-25 c:\windows\Tasks\User_Feed_Synchronization-{D6CA2E92-1012-45B4-8083-12DDB7804433}.job
    - c:\windows\system32\msfeedssync.exe [2008-07-12 08:31]
    .
    2010-01-24 c:\windows\Tasks\videopadSevenDaysInit.job
    - c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-24 03:56]
    .
    2010-03-08 c:\windows\Tasks\videopadShakeIcon.job
    - c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-24 03:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Elisha\Application Data\Mozilla\Firefox\Profiles\4f4w6oap.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: vShare: vshareus@toolbar - %profile%\extensions\vshareus@toolbar
    FF - user.js: browser.search.selectedEngine - Google
    FF - user.js: browser.search.order.1 - Google
    FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-fxHelpdrv - c:\documents and settings\Elisha\Local Settings\Application Data\Directcrtlib\fxHelpdrv.dll
    SafeBoot-Wdf01000.sys
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-25 20:14
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1004336348-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38A1A3F4-95FF-1D4A-F69C-AEFBA5D8A524}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "iagegngbfbpkdnpaii"=hex:6a,61,6c,6d,70,68,66,63,69,61,67,6e,68,6b,70,66,68,69,
    6b,69,00,f1
    "haehnpmmnikkhkpk"=hex:6a,61,6c,6d,70,68,66,63,69,61,67,6e,68,6b,70,66,68,69,
    6b,69,00,f1
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @DACL=(02 0010)
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @DACL=(02 0010)
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @DACL=(02 0010)
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-05-25 20:22:38
    ComboFix-quarantined-files.txt 2011-05-26 00:22
    .
    Pre-Run: 75,625,074,688 bytes free
    Post-Run: 75,686,199,296 bytes free
    .
    - - End Of File - - B15D622FFE5CF1FA114F4D22C0D69F77

    ESETScan Log
    C:\Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany.zip PHP/Kryptik.AB trojan
    C:\Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany\footer.php PHP/Kryptik.AB trojan

    Thanks so much for looking this over!
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No problem! I can handle the removals of the 'unused' in the script for Combofix.
    ==============================
    For Eset entries: There is some discussion about similar entries being found on the WordPress footer. It didn't appear to have been resolved. There is a chance these are a False Positive. But their discussion took place over 7 months ago, so considering it is still coming up as a Trojan, I think it is safe to go ahead and remove it.
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany.zip 
      C:\Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany\footer.php 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===================================
    Will be back after lunch with script for Combofix. Go ahead with the above now.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay then- let's continue:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    KillAll::
    File::
    c:\windows\system32\drivers\ssport.sys
    c:\windows\system32\drivers\androidusb.sys
    c:\windows\system32\drivers\hitmanpro35.sys
    Folder::
    c:\program files\LimeWire
    DDS::
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    mRun: [<NO NAME>] 
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
    
    RegNull::
    [HKEY_USERS\S-1-5-21-1004336348-789336058-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38A1A3F4-95FF-1D4A-F69C-AEFBA5D8A524}*]
    Driver::
    SSPORT
    HTCAND32
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ===============================================
    Scheduled Tasks: You have some Tasks scheduled which I suggest you remove using Option #3 below:
    These tasks are:

    • [*]c:\windows\Tasks\AppleSoftwareUpdate.job
      [*]c:\windows\Tasks\FRU Task (for the HP printer and digital imaging..tasks name is followed by a very long numerical string ending in 'job)
      [*] c:\windows\Tasks\videopadSevenDaysInit.job
      [*] c:\windows\Tasks\videopadShakeIcon.job
    Most of these found are usually auto-updates scheduled for programs that do not need them. They will make numerous internet connections every day, looking for updates that you can find manually. You want to keep these connection attempts as few as possible and then only if needed for the system. The only auto-update I get is for the AV program.

    Opening scheduled tasks to modify or delete them:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
    To change the settings for a task: right-click the Task> click Properties> do any of the following:
    1. To change the schedule for the task, click the Schedule tab.
    2. To customize the settings for the task, such as the maximum run time, idle time requirements, and power management options, click the Settings tab.
    3. To delete a task> right-click the task> click Delete.
    4. To prevent a task from running until you want to let it run again> right-click the task> Properties> On the General tab> clear the Enabled check box. Select the check box again to enable the task when you are ready to let the task scheduler run it again.
    ===============================
    Let me know how the system is doing when you finish this.
  8. computernerd180

    computernerd180 Newcomer, in training Topic Starter

    OTM and ComboFix Logs

    Ok, I did this backwards on accident so I hope it doesn't mess anything up that you had me do. I clicked the link in the email about ComboFix first and ran all of that which deleted what it need and then restarted the computer. I then removed the Scheduled Task which you suggested, thanks! I get tired of the Apple task popping up all the time. Then I was deleting emails and seeing the email about OTM. I went in and did the OTM after the ComboFix and Scheduled Task. I hope that is ok?

    As far as the computer. Start up is slow but I just think that is because it is an old computer. I usually leave it on 24/7 and don't ever notice the start up so I'm sure it is normal.

    As far as the wordpress theme and the footer problem. Is that a wordpress issue or just this theme? If you look at my blog, blog.darrenmcnew.com it has always had a messed up footer since I installed it. It's no big deal but now that you said it, it made me wonder if that is why?

    I do have an "advice" question. Since i uninstalled AVG and installed Avast, is there a reason for that? I've always used AVG and I am certainly not opposed to trying a different Anti Virus, my question is, which is your favorite or what do you recommend? I noticed you suggested Avast and another on. What are your thoughts. Also, Malwarebytes has seemed to be a great program. Should I keep it? And Spy Bot, is it worth keeping? I have mixed feelings if it is even doing anything or just taking up space!!!

    OK here are my logs.

    OTM Log:

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany.zip moved successfully.
    C:\Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany\footer.php moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Elisha
    ->Temp folder emptied: 5822 bytes
    ->Temporary Internet Files folder emptied: 7463883 bytes
    ->Java cache emptied: 583332 bytes
    ->FireFox cache emptied: 53474952 bytes
    ->Flash cache emptied: 5926 bytes

    User: LocalService
    ->Temp folder emptied: 65536 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 1198 bytes

    Total Files Cleaned = 59.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 05262011_172908

    Files moved on Reboot...

    Registry entries deleted on Reboot...

    ComboFix Log:

    ComboFix 11-05-26.01 - Elisha 05/26/2011 16:22:11.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1369 [GMT -4:00]
    Running from: c:\documents and settings\Elisha\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Elisha\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    FILE ::
    "c:\windows\system32\drivers\androidusb.sys"
    "c:\windows\system32\drivers\hitmanpro35.sys"
    "c:\windows\system32\drivers\ssport.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\LimeWire
    c:\program files\LimeWire\lib\unpackedJars.tmp
    c:\program files\vshare\vshare_toolbar.dll
    c:\windows\system32\drivers\hitmanpro35.sys
    .
    Infected copy of c:\windows\system32\userinit.exe was found and disinfected
    Restored copy from - c:\windows\ERDNT\cache\userinit.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_SSPORT
    -------\Service_HTCAND32
    -------\Service_SSPORT
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-26 to 2011-05-26 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-26 01:36 . 2011-05-26 01:36 -------- d-----w- c:\program files\ESET
    2011-05-25 01:00 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-05-25 01:00 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-25 00:59 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-25 00:59 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-25 00:59 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-25 00:59 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-05-25 00:59 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-05-25 00:59 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-05-25 00:58 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-25 00:58 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-25 00:57 . 2011-05-25 00:57 -------- d-----w- c:\program files\AVAST Software
    2011-05-25 00:57 . 2011-05-25 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-05-23 19:19 . 2011-05-23 19:19 -------- d-----w- c:\program files\FreeTime
    2011-05-23 03:50 . 2011-05-23 03:50 -------- d-----w- c:\program files\CCleaner
    2011-05-20 17:26 . 2011-05-20 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-05-17 01:11 . 2011-05-17 01:11 -------- d-----w- c:\program files\iPod
    2011-05-17 01:11 . 2011-05-17 01:12 -------- d-----w- c:\program files\iTunes
    2011-05-17 01:06 . 2011-05-17 01:06 -------- d-----w- c:\program files\Bonjour
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-15 19:16 . 2009-10-19 13:31 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2011-03-29 17:09 . 2011-03-29 17:09 388096 ----a-r- c:\documents and settings\Elisha\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-03-18 18:32 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Elisha\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
    "Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]
    "Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-08 524288]
    "ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2009-08-25 37232]
    "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_2"="shell32" [X]
    .
    c:\documents and settings\Elisha\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
    hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
    Marketsplash Print Software.lnk - c:\program files\Hewlett-Packard\Marketsplash by HP\HPLocalWebPrintAgent.exe [2010-10-11 93752]
    Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-6-12 869376]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
    "c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    "c:\\Documents and Settings\\Elisha\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/24/2011 8:59 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/24/2011 9:00 PM 307928]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/24/2011 9:00 PM 19544]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-07-18 22:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:04]
    .
    2010-07-17 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8271031119.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
    .
    2011-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003Core.job
    - c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
    .
    2011-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003UA.job
    - c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
    .
    2011-05-26 c:\windows\Tasks\User_Feed_Synchronization-{D6CA2E92-1012-45B4-8083-12DDB7804433}.job
    - c:\windows\system32\msfeedssync.exe [2008-07-12 08:31]
    .
    2010-01-24 c:\windows\Tasks\videopadSevenDaysInit.job
    - c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-24 03:56]
    .
    2010-03-08 c:\windows\Tasks\videopadShakeIcon.job
    - c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-24 03:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    FF - ProfilePath - c:\documents and settings\Elisha\Application Data\Mozilla\Firefox\Profiles\4f4w6oap.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: vShare: vshareus@toolbar - %profile%\extensions\vshareus@toolbar
    FF - user.js: browser.search.selectedEngine - Google
    FF - user.js: browser.search.order.1 - Google
    FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{043C5167-00BB-4324-AF7E-62013FAEDACF} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-26 16:46
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @DACL=(02 0010)
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @DACL=(02 0010)
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @DACL=(02 0010)
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1100)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\wpdshserviceobj.dll
    c:\program files\SmartFTP Client 2.0\smarthook.dll
    c:\windows\system32\portabledevicetypes.dll
    c:\windows\system32\portabledeviceapi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\ALCXMNTR.EXE
    c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-26 16:56:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-26 20:56
    ComboFix2.txt 2011-05-26 00:22
    .
    Pre-Run: 75,426,639,872 bytes free
    Post-Run: 75,291,607,040 bytes free
    .
    - - End Of File - - DC1E98EC10A0EAED2266BB4B855A3835
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    About this and 'slow':
    Okay to leave on- I hope that is either in Sleep or on Standby- but you still need to reboot occasionally to free up the memory.
    ===============================
    'Advice' questions:
    1. Since i uninstalled AVG and installed Avast, is there a reason for that?Yes, there is. Combofix won't run with AVG installed. AVG left no way for users to disable it fully to run scans
    2. I've always used AVG and I am certainly not opposed to trying a different Anti Virus, my question is, which is your favorite or what do you recommend? I noticed you suggested Avast and another on. What are your thoughts. You can reinstall AVG after we have finished using Combofix. We offer Avast or Avira to be used as temporary AV when removing AVG, because they are both free and good.
    You can stay with either and add a firewall: Both of these are good, free and bi-directional:
    [o]Comodo
    [o]Zone Alarm
    Or you can get Nod32, which is excellent, but nor free.
    3. Malwarebytes has seemed to be a great program. Should I keep it? No, don't keep on system. If needed, run the free scan occasionally. But this free version isn't going to auto-update. If you want the fully functional Mbam, you will have to purchase it.
    4. And Spy Bot, is it worth keeping? I have mixed feelings if it is even doing anything or just taking up space!!!Keep it. Remember to update and run scans. Another good antimalware program that will work in the background is:
    Spywareblaster:[/b] SpywareBlaster protects against bad ActiveX.
    5. Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.

    Some antimalware programs are 'find and fix.' Others are 'prevent'. So you need a balance between the two.

    Going to take lunch break. Will review Combofix log when I come back.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I may have you run Combofix again to see if there are any 'left over' entries from processes that have been removed. Back to the complaint about slow> you have many auto-update processes loading. that means they are going to be checking the internet several times a day, every day, looking for updates. This uses system resources as well as time.

    Did you know that the printer/imaging programs doesn't need to start on boot? To print: Click on File> Print.
    To use the HP Image Director: Open All Programs and select from there

    So all of the HP processes and any related to their imaging can be unchecked on the Startup menu.
    ====================================
    To remove entries from the Startup Menu using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
      [​IMG]
    • Click on Selective Startup
    • Choose the Startup tab:
      [​IMG]
      All images courtesy NetSquirrel
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Uncheck any processes you do not need to start on boot> All of the following can be taken off the Startup menu:
    • Click on Apply> OK when finished.
    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.

    Please open Firefox> Tools> Extensions> remove the following:
    Now update Java: Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    Note: You do not need to put a separate extension for Java on Firefox.
    ========================================
    Repeat the Eset Online Virus scan, updating first. (Combofix removed an infected file indicating there is still a 'leak' in the system security.

    I need to check the Eset log before finishing up.
  11. computernerd180

    computernerd180 Newcomer, in training Topic Starter

    OK, Eset log

    Ok, I "unchecked" the start up programs you recommended and it seem to start a bit faster which is great. It makes sense to eliminate as much as possible. I guess when these programs install they automatically set up to start for update checks and such??? I guess I'll watch out for this in the future when installing certain things.

    Also, thank you so much for the great advice on the programs to use. Does AVG have a built in firewall? Avast and Avira doesn't? Like I said, I will tray either of them. I'm acutally thinking of uninstalling Avast and installing Avira. I don't know why but it seems like my computer opens things a bit slower than before and I'm thinking it may be Avast?

    Also something strange is happening and I'm not sure if it is Avast or something else I've done. When attempting to watch YouTube videos, the sound is very "choppy" when playing, like slight skipping. I also notice when I restarted after unchecking the startup things you told me to eliminate. When windows started and it played its "start up jingle", it sounded like the YouTube videos. Really choppy and skipping. It was weird. Not smooth and clear like usual.

    I am going to take your advice and uninstall Malwarebytes and configure SpyBot to work to it's full advantage. I will also look into and install the other programs you recommended. I understand "antimalware" because of your explanation now and I thank you. I never knew some were to prevent while others fixed. That is very important to know and I'm very thankful you explained.

    Here is my Eset Log:
    C:\_OTM\MovedFiles\05262011_172908\C_Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany.zip PHP/Kryptik.AB trojan
    C:\_OTM\MovedFiles\05262011_172908\C_Documents and Settings\Elisha\My Documents\Professional Websites\z_Design Sites\Word Press\themes\Darren\miscellany\footer.php PHP/Kryptik.AB trojan
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Answering your questions and comments:
    1. Most downloads will place themselves on the Startup menu. This would also include whatever is bundled with it, such as an auto-update. Usually, if you can do a Custom Install instead of General, you can include or decline putting it on the startup menu.
    2.
    As far as I know, no free antivirus programs also have a firewall. That would be included in a 'suite' which is a purchase. But you can add a free firewall as mentioned. Also as mentioned, some would rather buy a suite and have everything bundle with it. My personal preference is not to use suites, but rather use individual, free-standing programs.
    3. I haven't used either Avast or Avira, but whichever you use, you should open the programs configuration before you start using it. Any program will have 'default' settings- that means that these setting come already set with the program. That does not mean you can't change them! For instance, having an AV program set to scan on boot isn't necessary and will slow load time down.
    4.
    Check the Device Manager as follows, with particular attention to the Sound, Video and Game Controllers:

    Using Safe Mode and Device Manager to troubleshoot.

    1) Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    2) Access the Device Manager: Control Panel> System> Hardware tab> Device Manager
    • Double-click (or highlight a device> Properties> This will show Device Status and Device Usage
    • Disable the drivers for the following devices (if present) using theDevice Usage for each
      [o] Display Adapters
      [o] Floppy Disk Controllers
      [o] Hard Disk Controllers
      [o] Keyboard
      [o] Mouse
      [o] Network Adapters
      [o] PCMCIA Socket
      [o] Ports
      [o] SCSI Controllers
      [o] Sound, Video, and Game Controllers

      This icon [​IMG] appears on devices that aren't responding or whose drivers aren't installed properly.
      This icon [​IMG] appears on devices that have been disabled.

    3) Reboot the computer into normal mode.
    • If the computer successfully boots into normal mode, reenable half of the device drivers that were disabled and reboot.
    • Continue rebooting and reenabling successively more devices until Windows no longer boots normally.
    • One of the device drivers in the most recently reenabled group of drivers is causing the problem.
    ==============================================
    You have taken all of these off of the Startup Menu, correct? Did you uninstall any of them?
    Update and rescan with Combofix. I can then remove any 'left-over' entries (including Registry entries) in script to run:
  13. computernerd180

    computernerd180 Newcomer, in training Topic Starter

    ComboFix Scan

    Ok, So I went and messed with disabling some of the hardware like you recommended in Safe Mode. The computer booted fine everytime. The first boot seemed like it ran smooth but I could not really tell because I had no sound when I went to YouTube. I started by turning on half and then one by one I was turning on each one. Then YouTube worked sound wise, but it was still choppy. I went through this process twice thinking it was something in the Audio/Video codec or drivers. When I had all those disabled the second time around, I could not hear anything but I could see that the video was still "skippy" or chopp when playing. I don't really know what to do about that. It is frustrating because I know that in the future it will alwasy do this. Like I said, even the startup music is choppy and when I shut down or restart the sound is choppy so I know it is not YouTube!!! Computers are fun! You must have amazing patience! :)

    Anyways, here is the ComboFix log:

    ComboFix 11-05-29.01 - Elisha 05/30/2011 6:12.4.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1453 [GMT -4:00]
    Running from: c:\documents and settings\Elisha\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-30 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-30 10:06 . 2011-05-30 10:06 -------- d-----w- c:\documents and settings\Elisha\Application Data\Avira
    2011-05-29 18:33 . 2008-07-09 09:05 421888 ----a-w- c:\windows\system32\ac3filter.acm
    2011-05-29 18:33 . 2011-05-29 18:33 -------- d-----w- c:\program files\XP Codec Pack
    2011-05-29 02:32 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-05-29 02:32 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-05-29 02:32 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-05-29 02:32 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-05-28 23:09 . 2011-05-28 23:09 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-05-28 22:10 . 2011-05-28 22:10 -------- d-----w- c:\windows\nview
    2011-05-28 02:40 . 2011-05-28 02:40 -------- d-----w- c:\program files\Avira
    2011-05-28 02:40 . 2011-05-28 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-05-28 02:20 . 2011-05-28 23:07 -------- d-----w- c:\program files\SpywareBlaster
    2011-05-28 02:17 . 2011-05-28 02:17 -------- d-----w- c:\program files\COMODO
    2011-05-28 02:15 . 2011-05-30 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
    2011-05-27 20:46 . 2011-05-27 20:46 -------- d-----w- c:\program files\Common Files\Java
    2011-05-27 20:45 . 2011-05-27 20:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-05-26 21:29 . 2011-05-26 21:29 -------- d-----w- C:\_OTM
    2011-05-26 01:36 . 2011-05-26 01:36 -------- d-----w- c:\program files\ESET
    2011-05-25 00:57 . 2011-05-28 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-05-25 00:57 . 2011-05-25 00:57 -------- d-----w- c:\program files\AVAST Software
    2011-05-23 19:19 . 2011-05-23 19:19 -------- d-----w- c:\program files\FreeTime
    2011-05-23 03:50 . 2011-05-23 03:50 -------- d-----w- c:\program files\CCleaner
    2011-05-20 17:26 . 2011-05-20 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-05-17 01:11 . 2011-05-17 01:11 -------- d-----w- c:\program files\iPod
    2011-05-17 01:11 . 2011-05-17 01:12 -------- d-----w- c:\program files\iTunes
    2011-05-17 01:06 . 2011-05-17 01:06 -------- d-----w- c:\program files\Bonjour
    2011-05-07 20:17 . 2011-05-07 20:17 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
    2011-05-03 00:36 . 2011-05-03 00:36 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2011-05-03 00:36 . 2011-05-03 00:36 242472 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2011-05-03 00:36 . 2011-05-03 00:36 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2011-05-03 00:36 . 2011-05-03 00:36 284744 ----a-w- c:\windows\system32\guard32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-27 20:44 . 2011-03-15 21:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-15 19:16 . 2009-10-19 13:31 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2011-03-29 17:09 . 2011-03-29 17:09 388096 ----a-r- c:\documents and settings\Elisha\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-03-18 18:32 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-05-26_00.15.04 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-05-30 00:01 . 2011-05-30 00:01 16384 c:\windows\temp\Perflib_Perfdata_570.dat
    + 2004-08-10 06:52 . 2004-08-10 06:52 49221 c:\windows\system32\rv40.dll
    + 2004-08-10 06:52 . 2004-08-10 06:52 49221 c:\windows\system32\rv30.dll
    + 2004-08-10 06:51 . 2004-08-10 06:51 57411 c:\windows\system32\rv20.dll
    + 2004-08-10 06:50 . 2004-08-10 06:50 49216 c:\windows\system32\rv10.dll
    + 2008-04-14 08:00 . 2011-05-28 19:55 68156 c:\windows\system32\perfc009.dat
    - 2008-04-14 08:00 . 2011-03-15 21:57 68156 c:\windows\system32\perfc009.dat
    + 2008-12-17 17:22 . 2008-12-17 17:22 93184 c:\windows\system32\ff_wmv9.dll
    + 2008-12-17 17:22 . 2008-12-17 17:22 57344 c:\windows\system32\ff_vfw.dll
    + 2011-05-29 02:32 . 2010-06-17 19:27 28520 c:\windows\system32\drivers\ssmdrv.sys
    + 2004-08-10 06:50 . 2004-08-10 06:50 65602 c:\windows\system32\cook.dll
    + 2004-08-10 06:50 . 2004-08-10 06:50 77889 c:\windows\system32\atrc.dll
    + 2004-08-10 06:50 . 2004-08-10 06:50 106561 c:\windows\system32\sipr.dll
    + 2010-07-23 03:49 . 2011-05-28 23:11 292792 c:\windows\system32\Restore\rstrlog.dat
    + 2003-11-25 23:32 . 2003-11-25 23:32 123392 c:\windows\system32\pncrt.dll
    - 2008-04-14 08:00 . 2011-03-15 21:57 435260 c:\windows\system32\perfh009.dat
    + 2008-04-14 08:00 . 2011-05-28 19:55 435260 c:\windows\system32\perfh009.dat
    + 2004-04-20 22:00 . 2004-04-20 22:00 172032 c:\windows\system32\OptimFROG.dll
    + 2008-12-17 16:59 . 2008-12-17 16:59 560802 c:\windows\system32\libmplayer.dll
    + 2011-05-27 20:45 . 2011-05-27 20:44 157472 c:\windows\system32\javaws.exe
    - 2011-03-15 21:51 . 2011-02-03 01:40 157472 c:\windows\system32\javaws.exe
    - 2011-03-15 21:51 . 2011-02-03 01:40 145184 c:\windows\system32\javaw.exe
    + 2011-05-27 20:45 . 2011-05-27 20:44 145184 c:\windows\system32\javaw.exe
    + 2011-05-27 20:45 . 2011-05-27 20:44 145184 c:\windows\system32\java.exe
    - 2011-03-15 21:51 . 2011-02-03 01:40 145184 c:\windows\system32\java.exe
    + 2004-08-10 06:52 . 2004-08-10 06:52 241723 c:\windows\system32\hxltcolor.dll
    + 2008-12-17 17:41 . 2008-12-17 17:41 884237 c:\windows\system32\ff_x264.dll
    + 2008-12-17 17:17 . 2008-12-17 17:17 239247 c:\windows\system32\ff_theora.dll
    + 2004-10-03 17:50 . 2004-10-03 17:50 129024 c:\windows\system32\ff_mpeg2enc.dll
    + 2004-11-24 19:25 . 2004-11-24 19:25 335872 c:\windows\system32\drvc.dll
    + 2004-08-10 06:51 . 2004-08-10 06:51 176195 c:\windows\system32\drv2.dll
    + 2004-08-10 06:50 . 2004-08-10 06:50 102464 c:\windows\system32\drv1.dll
    + 2011-05-27 20:46 . 2011-05-27 20:46 180224 c:\windows\Installer\b35a3e.msi
    + 2011-05-27 20:43 . 2011-05-27 20:43 675840 c:\windows\Installer\b35a2e.msi
    + 2011-05-29 14:06 . 2011-05-29 14:06 245760 c:\windows\ERDNT\AutoBackup\5-29-2011\Users\00000002\UsrClass.dat
    + 2011-05-29 14:06 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-29-2011\ERDNT.EXE
    + 2011-05-28 19:47 . 2011-05-28 19:47 245760 c:\windows\ERDNT\AutoBackup\5-28-2011\Users\00000002\UsrClass.dat
    + 2011-05-27 20:54 . 2011-05-27 20:54 245760 c:\windows\ERDNT\AutoBackup\5-27-2011\Users\00000002\UsrClass.dat
    + 2011-05-27 20:54 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-27-2011\ERDNT.EXE
    + 2011-05-26 20:44 . 2011-05-26 20:44 245760 c:\windows\ERDNT\AutoBackup\5-26-2011\Users\00000002\UsrClass.dat
    + 2011-05-26 20:44 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-26-2011\ERDNT.EXE
    + 2009-06-24 14:39 . 2009-06-24 14:39 1003520 c:\windows\system32\VSFilter.dll
    + 2009-06-11 16:14 . 2008-04-14 09:42 4274816 c:\windows\system32\nv4_disp(7).dll
    + 2009-06-11 16:14 . 2008-04-14 09:42 4274816 c:\windows\system32\nv4_disp(6).dll
    + 2009-06-11 16:14 . 2008-04-14 09:42 4274816 c:\windows\system32\nv4_disp(5).dll
    + 2009-06-11 16:14 . 2008-04-14 09:42 4274816 c:\windows\system32\nv4_disp(4).dll
    + 2009-06-11 16:14 . 2008-04-14 09:42 4274816 c:\windows\system32\nv4_disp(3).dll
    + 2008-12-19 15:15 . 2008-12-19 15:15 4338246 c:\windows\system32\libavcodec.dll
    + 2011-05-29 23:56 . 2011-05-29 23:56 3424768 c:\windows\Installer\21dc937.msi
    + 2011-05-28 02:15 . 2011-05-28 02:15 29083648 c:\windows\Installer\12a8a25.msi
    + 2011-05-29 14:06 . 2011-05-29 14:06 11333632 c:\windows\ERDNT\AutoBackup\5-29-2011\Users\00000001\NTUSER.DAT
    + 2011-05-28 19:47 . 2011-05-28 19:47 11333632 c:\windows\ERDNT\AutoBackup\5-28-2011\Users\00000001\NTUSER.DAT
    + 2011-05-27 20:54 . 2011-05-27 20:54 11333632 c:\windows\ERDNT\AutoBackup\5-27-2011\Users\00000001\NTUSER.DAT
    + 2011-05-26 20:44 . 2011-05-26 20:44 11333632 c:\windows\ERDNT\AutoBackup\5-26-2011\Users\00000001\NTUSER.DAT
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
    "Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]
    "ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2009-08-25 37232]
    "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-10 2552648]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_2"="shell32" [X]
    .
    c:\documents and settings\Elisha\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
    backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Marketsplash Print Software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Marketsplash Print Software.lnk
    backup=c:\windows\pss\Marketsplash Print Software.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printkey2000.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk
    backup=c:\windows\pss\Printkey2000.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2010-06-10 00:55 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-01-07 17:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
    "c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [5/2/2011 8:36 PM 242472]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [5/2/2011 8:36 PM 29400]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/28/2011 10:32 PM 136360]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - CMDAGENT
    *NewlyCreated* - CMDGUARD
    *NewlyCreated* - CMDHLP
    *NewlyCreated* - INSPECT
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-07-18 22:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003Core.job
    - c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
    .
    2011-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003UA.job
    - c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
    .
    2011-05-30 c:\windows\Tasks\User_Feed_Synchronization-{D6CA2E92-1012-45B4-8083-12DDB7804433}.job
    - c:\windows\system32\msfeedssync.exe [2008-07-12 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - ProfilePath - c:\documents and settings\Elisha\Application Data\Mozilla\Firefox\Profiles\4f4w6oap.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - user.js: browser.search.selectedEngine - Google
    FF - user.js: browser.search.order.1 - Google
    FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-30 06:23
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwClose, ZwOpenFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(812)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'lsass.exe'(868)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'explorer.exe'(3112)
    c:\windows\system32\WININET.dll
    c:\windows\system32\guard32.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\wpdshserviceobj.dll
    c:\windows\system32\portabledevicetypes.dll
    c:\windows\system32\portabledeviceapi.dll
    .
    Completion time: 2011-05-30 06:29:20
    ComboFix-quarantined-files.txt 2011-05-30 10:28
    ComboFix2.txt 2011-05-26 20:56
    ComboFix3.txt 2011-05-26 00:22
    .
    Pre-Run: 73,760,169,984 bytes free
    Post-Run: 73,755,271,168 bytes free
    .
    - - End Of File - - 94A9A69663E76C33D27963AE6D7FFCB3
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I think you may have misunderstood my reason for your trip into the Device Manager. It was to look for errors in the drivers. Then if found, attempt driver update first- not disable!

    Of course you won't get any sound with all of the sound drivers disabled. Did you find any Errors, as described, in the Device Manager? If Yes, what were the errors on?

    So any sound from either the internet of the computer itself is scratchy This is pointing to a bad sound card.
    As for the video problem: Have you tried viewing a video on another site other than YouTube? They do have problems occasionally.Are you associating 'choppy' with sound and video together, or separately. Meaning, if the sound is completely disabled (right click on Sound icon in Notification Area> Check Mute[)/b] does video play smoothly

    The Combofix log is for me to look for any left-over entries for the programs you have unchecked on the Startup Menu. Did you just check the processes I listed- no uninstalls, right?
  15. computernerd180

    computernerd180 Newcomer, in training Topic Starter

    Sound/Video and Startup

    Ok,

    When starting everything seems to be fine other than the sound is choppy. Whether I play music on the computer, the start up sound or videos it is doing it. It is the video along with the audio, it's as if something is "lagging" or running slow. It was fine before I clean it up. If I disable all the sound options, videos are still "choppy" or "lagging" a bit. I'm not sure what the deal would be. Would it be bad to uninstall and reinstall all audio/video related drivers and codecs or do you think it is something else?

    As far as the start up, I did not uninstall or delete anything. I just uncheck what you suggested and then at the restart I check the box that I wanted to continue in the mode where I selected what I wanted to start and to not show me the message again. I just checked msconfig again and they are still all unchecked. However it seems like the java one keeps checking itself back. I've checked twice and after restarts it seems to be checked but the rest are still unchecked. I'll just keep un-checking every time I start, I'll keep an eye on that one.

    The computer and internet seem to be running good. The search is working like it should and I appreciate it a lot. This computer is still running pretty awesome for the year but I have to expect that things can go wrong with it's age as well.
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    For Java: Control Panel> Java> Update tab> Uncheck 'check automatically for updates> Click on Yes to confirm> Apply> OK
    ==================================
    You now have 2 antivirus programs on the system:
    2011-05-28 02:40 -------- d-----w- c:\program files\Avira
    2011-05-25 00:57 -------- d-----w- c:\program files\AVAST Software
    If you plan to reinstall AVG when we finish, you can uninstall both
    ====================================
    Use the msconfig utility to uncheck any processes from the Startup menu that doesn't need to start on boot and run in the background. Uninstall any programs you are no longer using.
    ======================================
    When you have finished the above, Please update and rescan with Combofix.

    Tell me which of the programs in my quote box you have taken off of the Startup men and which, if any, you have uninstalled. Then I will remove any 'left over' files or drivers and we will finish up.
    =====================================
    As for the audio/video problems, that's not in my area of knowledge. Please start a thread in the Hardware or Sound forum for those problems.
  17. computernerd180

    computernerd180 Newcomer, in training Topic Starter

    ComboFix

    Ok,

    In start up I disabled RIM Auto Update and Google Update.

    I uninstalled the following programs:
    Acrobat.com
    Apple Mobile
    Apple App Support
    Blackberry Desktop 5.0.1 and 6.0
    K-Lite Codec Pack
    Skype
    Skype 4.1
    XP Codec Pack
    MyDSC2 (What is this)? I read it might be something for my digital camera???

    Here is my newest ComboFix Log:

    ComboFix 11-06-04.02 - Elisha 06/03/2011 20:59:11.5.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1490 [GMT -4:00]
    Running from: c:\documents and settings\Elisha\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-04 to 2011-06-04 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-04 00:47 . 2011-06-04 00:47 -------- d-----w- c:\windows\LastGood
    2011-05-30 10:06 . 2011-05-30 10:06 -------- d-----w- c:\documents and settings\Elisha\Application Data\Avira
    2011-05-29 02:32 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-05-29 02:32 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-05-29 02:32 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-05-29 02:32 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-05-28 23:09 . 2011-05-28 23:09 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-05-28 22:10 . 2011-05-28 22:10 -------- d-----w- c:\windows\nview
    2011-05-28 02:40 . 2011-05-28 02:40 -------- d-----w- c:\program files\Avira
    2011-05-28 02:40 . 2011-05-28 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-05-28 02:20 . 2011-05-28 23:07 -------- d-----w- c:\program files\SpywareBlaster
    2011-05-28 02:17 . 2011-05-28 02:17 -------- d-----w- c:\program files\COMODO
    2011-05-28 02:15 . 2011-05-30 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
    2011-05-27 20:46 . 2011-05-27 20:46 -------- d-----w- c:\program files\Common Files\Java
    2011-05-27 20:45 . 2011-05-27 20:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-05-26 21:29 . 2011-05-26 21:29 -------- d-----w- C:\_OTM
    2011-05-26 01:36 . 2011-05-26 01:36 -------- d-----w- c:\program files\ESET
    2011-05-25 00:57 . 2011-05-28 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-05-23 19:19 . 2011-05-23 19:19 -------- d-----w- c:\program files\FreeTime
    2011-05-23 03:50 . 2011-05-23 03:50 -------- d-----w- c:\program files\CCleaner
    2011-05-20 17:26 . 2011-05-20 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-05-17 01:11 . 2011-05-17 01:11 -------- d-----w- c:\program files\iPod
    2011-05-17 01:11 . 2011-05-17 01:12 -------- d-----w- c:\program files\iTunes
    2011-05-17 01:06 . 2011-05-17 01:06 -------- d-----w- c:\program files\Bonjour
    2011-05-07 20:17 . 2011-05-07 20:17 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-27 20:44 . 2011-03-15 21:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-15 19:16 . 2009-10-19 13:31 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    2011-05-03 00:36 . 2011-05-03 00:36 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2011-05-03 00:36 . 2011-05-03 00:36 242472 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2011-05-03 00:36 . 2011-05-03 00:36 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2011-05-03 00:36 . 2011-05-03 00:36 284744 ----a-w- c:\windows\system32\guard32.dll
    2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2011-03-29 17:09 . 2011-03-29 17:09 388096 ----a-r- c:\documents and settings\Elisha\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-03-18 18:32 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-05-30_10.24.03 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-06-04 00:30 . 2011-06-04 00:30 16384 c:\windows\temp\Perflib_Perfdata_2e8.dat
    - 2008-04-14 09:42 . 2008-04-14 05:12 23552 c:\windows\system32\wdmaud.drv
    + 2008-04-14 09:42 . 2008-04-14 13:42 23552 c:\windows\system32\wdmaud.drv
    - 2008-04-14 04:15 . 2008-04-13 23:45 49408 c:\windows\system32\drivers\stream.sys
    + 2008-04-14 04:15 . 2008-04-14 08:15 49408 c:\windows\system32\drivers\stream.sys
    + 2009-06-12 00:53 . 2008-04-14 08:15 60160 c:\windows\system32\drivers\drmk.sys
    - 2009-06-12 00:53 . 2008-04-13 23:45 60160 c:\windows\system32\drivers\drmk.sys
    - 2008-04-14 09:42 . 2008-04-14 05:12 23552 c:\windows\system32\dllcache\wdmaud.drv
    + 2008-04-14 09:42 . 2008-04-14 13:42 23552 c:\windows\system32\dllcache\wdmaud.drv
    + 2008-04-14 04:15 . 2008-04-14 08:15 49408 c:\windows\system32\dllcache\stream.sys
    - 2008-04-14 04:15 . 2008-04-13 23:45 49408 c:\windows\system32\dllcache\stream.sys
    - 2009-06-12 00:53 . 2008-04-13 23:45 60160 c:\windows\system32\dllcache\drmk.sys
    + 2009-06-12 00:53 . 2008-04-14 08:15 60160 c:\windows\system32\dllcache\drmk.sys
    + 2011-06-04 00:47 . 2008-04-14 05:12 23552 c:\windows\LastGood\system32\wdmaud.drv
    + 2011-06-04 00:47 . 2008-04-13 23:45 49408 c:\windows\LastGood\system32\drivers\stream.sys
    + 2011-06-04 00:47 . 2008-04-13 23:45 60160 c:\windows\LastGood\system32\drivers\drmk.sys
    + 2004-09-07 17:47 . 2004-09-07 17:47 57344 c:\windows\ALCXMNTR.EXE
    - 2009-06-12 00:53 . 2004-09-07 09:17 57344 c:\windows\ALCXMNTR.EXE
    + 2009-06-12 00:53 . 2008-04-14 13:41 4096 c:\windows\system32\ksuser.dll
    - 2009-06-12 00:53 . 2008-04-14 05:11 4096 c:\windows\system32\ksuser.dll
    + 2009-06-12 00:53 . 2008-04-14 13:41 4096 c:\windows\system32\dllcache\ksuser.dll
    - 2009-06-12 00:53 . 2008-04-14 05:11 4096 c:\windows\system32\dllcache\ksuser.dll
    + 2011-06-04 00:47 . 2008-04-14 05:11 4096 c:\windows\LastGood\system32\ksuser.dll
    + 2003-11-25 23:32 . 2002-12-06 06:02 272896 c:\windows\system32\pncrt.dll
    + 2009-06-12 00:53 . 2008-04-14 08:49 146048 c:\windows\system32\drivers\portcls.sys
    - 2009-06-12 00:53 . 2008-04-14 00:19 146048 c:\windows\system32\drivers\portcls.sys
    + 2008-04-14 04:46 . 2008-04-14 08:46 141056 c:\windows\system32\drivers\ks.sys
    - 2008-04-14 04:46 . 2008-04-14 09:46 141056 c:\windows\system32\drivers\ks.sys
    - 2009-06-12 00:53 . 2008-04-14 00:19 146048 c:\windows\system32\dllcache\portcls.sys
    + 2009-06-12 00:53 . 2008-04-14 08:49 146048 c:\windows\system32\dllcache\portcls.sys
    + 2008-04-14 04:46 . 2008-04-14 08:46 141056 c:\windows\system32\dllcache\ks.sys
    - 2008-04-14 04:46 . 2008-04-14 09:46 141056 c:\windows\system32\dllcache\ks.sys
    + 2011-06-04 00:47 . 2008-04-14 00:19 146048 c:\windows\LastGood\system32\drivers\portcls.sys
    + 2011-06-04 00:47 . 2008-04-14 09:46 141056 c:\windows\LastGood\system32\drivers\ks.sys
    + 2011-06-03 23:30 . 2011-06-03 23:30 245760 c:\windows\ERDNT\AutoBackup\6-3-2011\Users\00000002\UsrClass.dat
    + 2011-06-03 23:30 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\6-3-2011\ERDNT.EXE
    + 2004-10-01 14:24 . 2004-10-01 14:24 2279424 c:\windows\system32\drivers\ALCXWDM.SYS
    - 2009-06-12 00:53 . 2004-10-01 05:54 2279424 c:\windows\system32\drivers\ALCXWDM.SYS
    + 2011-06-03 23:30 . 2011-06-03 23:30 11317248 c:\windows\ERDNT\AutoBackup\6-3-2011\Users\00000001\NTUSER.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]
    "ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2009-08-25 37232]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-10 2552648]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_2"="shell32" [X]
    .
    c:\documents and settings\Elisha\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
    backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Marketsplash Print Software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Marketsplash Print Software.lnk
    backup=c:\windows\pss\Marketsplash Print Software.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printkey2000.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk
    backup=c:\windows\pss\Printkey2000.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-12-09 01:02 136176 ----atw- c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2010-06-10 00:55 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-01-07 17:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
    "c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [5/2/2011 8:36 PM 242472]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [5/2/2011 8:36 PM 29400]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/28/2011 10:32 PM 136360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-07-18 22:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003Core.job
    - c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
    .
    2011-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-789336058-682003330-1003UA.job
    - c:\documents and settings\Elisha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-09 01:02]
    .
    2011-06-04 c:\windows\Tasks\User_Feed_Synchronization-{D6CA2E92-1012-45B4-8083-12DDB7804433}.job
    - c:\windows\system32\msfeedssync.exe [2008-07-12 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - ProfilePath - c:\documents and settings\Elisha\Application Data\Mozilla\Firefox\Profiles\4f4w6oap.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - user.js: browser.search.selectedEngine - Google
    FF - user.js: browser.search.order.1 - Google
    FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-03 21:09
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwClose, ZwOpenFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(796)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'lsass.exe'(852)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'explorer.exe'(3044)
    c:\windows\system32\WININET.dll
    c:\windows\system32\guard32.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\wpdshserviceobj.dll
    c:\windows\system32\portabledevicetypes.dll
    c:\windows\system32\portabledeviceapi.dll
    .
    Completion time: 2011-06-03 21:14:32
    ComboFix-quarantined-files.txt 2011-06-04 01:14
    ComboFix2.txt 2011-05-30 10:29
    ComboFix3.txt 2011-05-26 20:56
    ComboFix4.txt 2011-05-26 00:22
    .
    Pre-Run: 73,605,574,656 bytes free
    Post-Run: 73,607,708,672 bytes free
    .
    - - End Of File - - 6EFF0FD0D6B46E42B41CF08A221D355E
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, I don't see any entries remaining for the programs you uninstalled. If you will run HijackThis, I can check that log to make sure no entries remain:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    =============================================
    I do advise that this search keyword be removed and reset back to Google or other reliable search engine. This one appears to be 'ad. friendly' and most times, not put on intentionally by the use Some users also had a difficult time resetting this.:
    search.search-star.net
    FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
    FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
    Easiest way to do that:
    • Open Firefox> type about:config in the Address bar> Enter
    • Click on "I will be carefull i promise"
    • Type keyboard.url in the Filter box> Enter 3: then write 'keyword.url' in the filter and hit enter 4:
      [*] Tight click on it and select modify
      [*] Paste http://www.google.com/search?hl=en&source=hp&biw=957&bih=456&q=> Enter
      [*] Restart Firefox to make the change.

    ===============================
    Has the redirect been resolved. Is there any other malware related problem?
  19. computernerd180

    computernerd180 Newcomer, in training Topic Starter

    HiJackThis Log

    I ran HiJackThis.

    I did have trouble with the firefox fix.
    The 3 bullet you had said;
    Type keyboard.url in the Filter box> Enter 3: then write 'keyword.url' in the filter and hit enter 4:

    I was confused with this. I entered the keyboard.url but nothing came up. Little confused i guess.


    HiJackThis Log:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:07:27 PM, on 6/9/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\WINDOWS\ASScrProlog.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNjA2Nzk5OTgyLUJBKzEtS1YzKzctWEwrMS1UMy1GUDkrNi1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWDIwMTArMi1GMTBNMTBEKzEtTElDKzc3LUZMMTArMS1TUDErMS1TUDFUQisxLVNVRCsxLVMxSSsxLVNVMysx"&"prod=90"&"ver=10.0.1375
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10l_Plugin.exe -update plugin
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
    O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
    O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX Control) - http://www.samsungdp.com/printerhelp/ActiveX/DrPrinter.cab
    O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://imageupload8.autorevo.com/Cabs/ImageUploader5.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} (Java Plug-in 1.6.0_24) -
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://officedepotwebcafe.webex.com/client/wbs27-vzbprodcn/webex/ieatgpc.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

    --
    End of file - 9394 bytes
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36


    Did you press Enter?
    ======================================
    Please reopen HijackThis to 'do system scan only.'. Check each of the following if found:

    O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
    O2 - BHO: (no name) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - (no file)
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNjA2Nzk 5OTgyLUJBKzEtS1YzKzctWEwrMS1UMy1GUDkrNi1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWD IwMTArMi1GMTBNMTBEKzEtTElDKzc3LUZMMTArMS1TUDErMS1TUDFUQisxLVNVRCsxLVMxSSsxL VNVMysx"&"prod=90"&"ver=10.0.1375
    O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} (Java Plug-in 1.6.0_24) -
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


    Close all Windows except HijackThis and click on "Fix Checked."
    ============================
    Click on Start> Run> type in services.msc> Enter> Double click on each of the Services below and set as instructed:
    iPod Service> Set Startup type to Manual
    NMIndexing> Set Startup Type to Manual
    Java Quick Starter (jqs)> Set Startup type to Disabled> Stop the Service.
    Exit Services

    ============================
    I'd like to run catchme to check something out:
    catchme is the rootkit/stealth malware scanner that scans for:
    • hidden processes
    • hidden registry keys
    • hidden services
    • hidden files
    catchme can also delete, destroy and collect malicious files.

    Download catchme.exe ( 137KB ) and save to your desktop.
    • Double click the catchme.exe to run it
    • Click the "Scan" button to start scan
    • Open catchme.log to see results

    Copy the log to Notepad, making sure that 'Word Wrap' is unchecked in Format. Then paste the log in your next reply.
  21. computernerd180

    computernerd180 Newcomer, in training Topic Starter

    Catchme Log

    Ok, figured out the firefox thing. Only problem, I've done it twice, modifiying to "google" but then when it restarts firefox and I check it, it is back to the "search-star". Not sure why?

    I fixed all the HiJack things and restarted.

    Here is the Catchme Log:

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-14 12:01:21
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Open Firefox
    Go to this web page: https://addons.mozilla.org/en-US/firefox/addon/blocksite/
    Download addon called Block Site
    Close, them reopen Firefox
    Find where the sites are blocked and type this in search.search-star.net> Block
    (This is from others who couldn't remove this search.
    Reboot computer.

    Your system is clean.
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.