[Closed] HP Vista will not install updates..hijack this log

Status
Not open for further replies.
M

MellyJC

Posts: 36   +0
My computer has had problems for a while now that the updater won't run/dies. Running Vista Home Premium. It is now up to "Installing 1 of 75" upon shutdown however it always hangs and never gets past the first update even if I let it sit for 24 hours. I've tried installing different updates in different order to try to get *something* to stick without success. Occasionally when running, I will get a message that the updater stopped working. Of course the fix for this is....updates.

I've just recently been clued in that this could be caused by an HP ActiveX security flaw. http://www.theregister.co.uk/2008/06/04/hp_support_app_multiple_vulns/

I've attempted to kill the registry per the instructions. Regardless of whether that's enough (I've only rebooted into safe mode since then, it hasn't tried to install updates) I want to clean things up.

My hijack this log isn't pretty..thought I'd come to the pros before trying to clean anything. Please take a look and advise accordingly. I'd given up long ago on trying to get this machine running decently, but if it's possible now I'd love to. Hard-killing it every time it tries to update is not my preference.

Thank you!
 

Attachments

  • hijackthis.log
    8.5 KB · Views: 3
Sorry to hear you dabbled in the Registry! Did you make a back up first?

Failed updates can have several causes, malware being only one of them. I'll be glad to check the system for malware but we do not use HijackThis to 'screen' for malware.

Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
====================================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.
If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
 
Thank you!

Ultimate sin, I know - did not make a fresh backup, kind of relying on an old one before registry dabbling. I could make excuses but won't do it again..following instructions now.

Now that I am actually on this computer again and seeing some of the archaic things on it I'm wondering if a format and reinstall may be the best option...will await your thoughts/advice.

Here are my logs:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7176

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

7/17/2011 12:15:08 PM
mbam-log-2011-07-17 (12-15-08).txt

Scan type: Quick scan
Objects scanned: 190885
Time elapsed: 9 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

***** Small note, I ran GMER and assume it finished, but never got a message saying the scan was complete. Should I have? *****

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-07-17 12:45:23
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\00000055 ST336032 rev.3.CH
Running: GMER.exe; Driver: C:\Users\Melly\AppData\Local\Temp\pgldrpob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x90E29398]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_23
Run by Melly at 13:11:03 on 2011-07-17
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1967 [GMT -7:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\D-Link\D-Link USB VoIP Adapter\VServ.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Users\Melly\AppData\Local\Google\Update\1.3.21.57\GoogleCrashHandler.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\taskeng.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\taskeng.exe
C:\Users\Melly\Downloads\GMER.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6] <no file>
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast! PDA Edition Updater] c:\progra~1\alwils~1\avast!~1\aswPdaUp.exe
mRun: [DLinkMonitor.exe] c:\program files\d-link\d-link usb voip adapter\DLinkMonitor.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRunOnce: [Launcher] c:\windows\sminst\launcher.exe
StartupFolder: c:\users\melly\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\melly\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Free YouTube to Mp3 Converter - c:\users\melly\appdata\roaming\dvdvideosoftiehelpers\youtubetomp3.htm
IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 10.0.0.2
TCP: Interfaces\{52E9304E-D1AC-4A0F-8EAC-7C57EE548287} : DHCPNameServer = 10.0.0.2
Handler: ipp - <Clsid value has no data>
Handler: msdaipp - <Clsid value has no data>
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\windows mail\WinMail.exe" OCInstallUserConfigOE
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\melly\appdata\roaming\mozilla\firefox\profiles\v0jkl18z.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
FF - plugin: c:\progra~1\palmone\packag~1\NPInstal.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\melly\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\users\melly\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\melly\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
============= SERVICES / DRIVERS ===============
.
R0 TLRecAgent;TLRecAgent;c:\windows\system32\drivers\TLRecAgent.sys [2009-1-5 37208]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-15 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-7 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-7 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2007-12-11 54104]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-22 42184]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-4 24652]
R2 VService;VService;c:\program files\d-link\d-link usb voip adapter\VServ.exe [2007-1-2 105208]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-17 41272]
S3 slusbvip;SL3800 USB Driver;c:\windows\system32\drivers\slusbvip.sys [2009-1-5 591832]
S3 SLVAD_simple;D-Link Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [2009-1-5 85656]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-5-27 16896]
.
=============== File Associations ===============
.
ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~3\office\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2011-07-17 18:57:23 -------- d-----w- c:\users\melly\appdata\roaming\Malwarebytes
2011-07-17 18:57:17 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-17 18:57:16 -------- d-----w- c:\programdata\Malwarebytes
2011-07-17 18:57:13 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-17 18:57:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-16 04:09:23 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-16 03:57:30 388608 ----a-w- c:\users\melly\HijackThis.exe
2011-07-16 03:05:50 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1b82c615-5162-4ed8-ac70-ce3b28c0e595}\mpengine.dll
.
==================== Find3M ====================
.
2011-07-12 23:32:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-04 11:43:53 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:32:20 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-25 02:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 13:11:37.74 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-07-14.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 10/10/2007 11:04:36 AM
System Uptime: 7/17/2011 12:51:10 PM (1 hours ago)
.
Motherboard: ECS | | Nettle2
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket M2 | 2200/201mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 327 GiB total, 68.219 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 1.191 GiB free.
E: is CDROM ()
G: is Removable
H: is Removable
I: is FIXED (NTFS) - 190 GiB total, 49.532 GiB free.
J: is Removable
K: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
3ivx D4 4.5.1 Decoder (remove only)
Acronis*True*Image*Home
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 8.1.7
AIM 6
Allway Sync version 9.4.11
Amazon MP3 Downloader 1.0.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
avast! PDA Edition
Bonjour
Canon iP1800 series
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Codejedi Inc Shadow Plan for PalmOS
D-Link USB VoIP Adapter
Diablo II
Dropbox
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Enhanced Multimedia Keyboard Solution
firstobject XML Editor version 2.3.2
Free Audio CD Burner version 1.4
Free YouTube to MP3 Converter version 3.7
Garmin Training Center v5
Garmin WebUpdater
Google Chrome
Google Talk (remove only)
Google Talk Plugin
HijackThis 2.0.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Advisor
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Picasso Media Center Add-In
HP Update
HPAsset component for HP Active Support Library
iTunes
Java Auto Updater
Java(TM) 6 Update 23
Java(TM) SE Runtime Environment 6 Update 1
Juniper Networks Network Connect 6.5.0
Juniper Networks Setup Client
Juniper Networks Setup Client Activex Control
Kurso de Esperanto 3
LightScribe 1.6.45.1
LJ Comment Stats Wizard 1.7
ljArchive
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 Premium
Microsoft Office Home and Student 60 day trial
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox (3.6.18)
MRIcroN (remove only)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.0
My HP Games
Myst III EXILE Patch 1.22
Myst III: Exile
Myst IV - Revelation
neroxml
Netflix Movie Viewer
NVIDIA Drivers
NVIDIA PhysX v8.09.04
Paint.NET v3.31
Palm-DB-Tools 0.3.6
Palm Desktop by ACCESS
Pilot-DB 1.1.3
Plucker 1.6
PSSWCORE
Python 2.5
QuickTime
Realtek High Definition Audio Driver
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for CAPICOM (KB931906)
Simplify Media
Skype Toolbars
Skype™ 4.2
Snapfish Picture Mover
Soft Data Fax Modem with SmartCP
SportTracks 2.1
TeLL me More CJ
The Journey to Wild Divine
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VideoToolkit01
Viewpoint Media Player
WeatherBug Gadget
Windows Live installer
Windows Live Sign-in Assistant
WinZip 15.0
Yahoo! Messenger
Yahoo! Search Protection
Zoom ADSL Modem
.
==== End Of File ===========================
 
GMER is okay. You can see the EOF (end of file) at the end.

When you mention updates, I took this to be referring to Windows update- is that correct?
==================================================
Please run the following: I will give you script after you have run Combofix to remove some entries:
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
==============================================
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=====================================
Remind me when we're finished to give you a list of the HP entries. You should check what they do and remove any you're not using. HP, like other computer manufacturers, preload a lot of processes. I have found that most users don know this, don't use most of the processes and don't realize they can remove the processes from Startup and uninstall what they don't use.
==============================================
 
Hi,

Yes, I'm referring to the Windows Updates that don't occur. There is also a driver/program that I can't seem to uninstall that always occurs on bootup that annoys me, although it doesn't cause any major problems, other than probably adding a bit to boot time. I know HP loaded a bunch of junk..some of it I left as 'maybe someday I'll explore if this is useful' but of course never do. Right now I'd just like a clean-running system so getting rid of that would be fine..especially if that was the breach that allowed the infection (grr)..

ComboFix 11-07-26.03 - Melly 07/26/2011 18:47:06.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1684 [GMT -7:00]
Running from: c:\users\Melly\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\progra~1\COMMON~1\{525D3~1
c:\progra~1\COMMON~1\{525D3~1\SLMSICA.ini
c:\progra~1\COMMON~1\{525D3~1\slscp.log
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\autorun.inf
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Ivr.scp
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\readme.txt
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Setup.exe
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Setup.MSI
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Setup.scp
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\SLExtBU\ivr.scp
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\SLExtBU\Setup.scp
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.cat
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.inf
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.sys
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvad.cat
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvad.inf
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvad.sys
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvipco.dll
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvipgx.dll
c:\progra~1\COMMON~1\{525D3~1\SLTLINK\TLRecAgent.sys
c:\users\Melly\AppData\Roaming\.#
c:\users\Melly\Documents\~WRL0003.tmp
c:\users\Melly\Documents\~WRL0575.tmp
c:\users\Melly\Documents\~WRL1064.tmp
c:\users\Melly\Documents\~WRL1660.tmp
c:\users\Melly\Documents\~WRL2540.tmp
c:\users\Melly\Documents\~WRL2931.tmp
c:\users\Melly\Documents\~WRL3727.tmp
c:\users\Melly\HijackThis.exe
c:\windows\system\MSVCIRT.DLL
c:\windows\system\olepro32.dll
c:\windows\system32\jusched.exe
c:\windows\system32\msconfig.exe
c:\windows\system32\searchindexer.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-27 to 2011-07-27 )))))))))))))))))))))))))))))))
.
.
2011-07-27 02:01 . 2011-07-27 02:01 -------- d-----w- c:\users\Sol\AppData\Local\temp
2011-07-27 02:01 . 2011-07-27 02:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-27 01:43 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{44B5D35C-7491-4446-99DD-66AD024DEEB3}\mpengine.dll
2011-07-17 18:57 . 2011-07-17 18:57 -------- d-----w- c:\users\Melly\AppData\Roaming\Malwarebytes
2011-07-17 18:57 . 2011-07-07 02:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-17 18:57 . 2011-07-17 18:57 -------- d-----w- c:\programdata\Malwarebytes
2011-07-17 18:57 . 2011-07-17 18:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-17 18:57 . 2011-07-07 02:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-16 04:09 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-12 23:32 . 2011-05-26 16:51 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-04 11:43 . 2011-01-29 02:33 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:43 . 2007-12-11 07:47 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-04 11:36 . 2008-04-07 15:31 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-04 11:35 . 2007-12-11 07:48 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-04 11:32 . 2007-12-11 07:48 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-04 11:32 . 2007-12-11 07:47 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-07-04 11:32 . 2008-04-07 15:31 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-25 02:14 . 2009-10-03 08:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-04 11:52 . 2010-12-19 20:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"googletalk"="c:\users\Melly\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-09 26100520]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-10 2595792]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-10 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-10 136472]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13584928]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 92704]
"avast! PDA Edition Updater"="c:\progra~1\ALWILS~1\AVAST!~1\aswPdaUp.exe" [2004-01-09 507904]
"DLinkMonitor.exe"="c:\program files\D-Link\D-Link USB VoIP Adapter\DLinkMonitor.exe" [2007-01-03 651264]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2569616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]
.
c:\users\Melly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Melly\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-07 41272]
R3 slusbvip;SL3800 USB Driver;c:\windows\system32\DRIVERS\slusbvip.sys [2007-01-02 591832]
R3 SLVAD_simple;D-Link Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [2007-01-02 85656]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
S0 TLRecAgent;TLRecAgent;c:\windows\system32\DRIVERS\TLRecAgent.sys [2007-01-02 37208]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 VService;VService;c:\program files\D-Link\D-Link USB VoIP Adapter\VServ.exe [2007-01-02 105208]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-995884451-1569160325-2105184467-1000Core.job
- c:\users\Melly\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-11 21:32]
.
2011-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-995884451-1569160325-2105184467-1000UA.job
- c:\users\Melly\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-11 21:32]
.
2011-07-27 c:\windows\Tasks\User_Feed_Synchronization-{7953496C-BE4A-471F-B41C-02EF2517CB54}.job
- c:\windows\system32\msfeedssync.exe [2008-05-27 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&amp;source=iglk
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube to Mp3 Converter - c:\users\Melly\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
TCP: DhcpNameServer = 10.0.0.2
FF - ProfilePath - c:\users\Melly\AppData\Roaming\Mozilla\Firefox\Profiles\v0jkl18z.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Aim6 - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
AddRemove-HijackThis - c:\users\Melly\Documents\HijackThis.exe
AddRemove-Palm-DB-Tools_is1 - c:\users\Melly\Documents\Palm OS Desktop\pdbtools\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-26 20:04
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3332)
c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-07-26 20:08:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-27 03:08
.
Pre-Run: 76,742,868,992 bytes free
Post-Run: 76,170,231,808 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 32CC890797D12F640C2F56202DD62CAC

ESET log:
C:\Old backup sort\Program files\Sound Forge 8\Key_Generator.rar a variant of Win32/Keygen.AQ application
C:\Users\Melly\Downloads\neoragex06b.zip a variant of Win32/Packed.PECrypt32.A application
 
I'm very sorry- I didn't get the email feedback notice of a reply. That's two that didn't get through!

For Eset: Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files  
C:\Old backup sort\Program files\Sound Forge 8\Key_Generator.rar 
C:\Users\Melly\Downloads\neoragex06b.zip a
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================================
I don't know just what kind of directory this is>> C:\Old backup sort\Program files... but it has a pirated copy of a $400 program in it: Sound Forge 8. This program removed the malware. Please remove the pirated program.
========================================
Regarding your question about the ecompletion of GMER, this means the end> ---- EOF - GMER 1.0.15 ----. EOF=end of file.
=======================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it: Be sure to scroll down to include ALL lines.
Code: 
File::
c:\program files\viewpoint\common\ViewpointService.exe
Extra::
File::
c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
Firefox:: 
Firefox-: - Profile- c:\users\melly\appdata\roaming\mozilla\firefox\profiles\v0jkl18z.default\
DDS::
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
uRun: [Aim6] <no file>
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: ipp - <Clsid value has no data>
Handler: msdaipp - <Clsid value has no data>
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=-
"AntiSpywareOverride"=
Driver::
Viewpoint Manager Service
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
1. Please update Java: Java Updates
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
2. Please update Adobe Reader: Adobe Reader site
3. When finished go to Add/Remove Programs in the Control Panel and uninstall the following:
HijackThis v2.0.0
Adobe Reader 8.1.7
Java v6u23
Viewpoint>> any of the following programs associated with Viewpoint
[o] Viewpoint Manager
[o] Viewpoint Media Player
[o] Viewpoint Toolbar
4. Open Firefox: Tools> Addons> Remove Java v6u23
Note: You do not need to put a separate extension in Firefox when you update.
====================================================
Note: You should have as close as possible to 80% free on the hard drive. With the 2 drive you have, you have only 20%. So get rid of what you don't, set up a good maintenance schedule and don't pirate any more programs or apps.

See one more step in next rely.

Do you know what this entry is? c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Setup.exe
 
With an outdated Java, chances are good that there will be some bad entries in the Java cache, so you need to empty it:

To clear the Java Plug-in cache:

  • [1]. Click Start > Control Panel.
    [2]. Double-click the Java icon in the control panel.
    java.png
    The Java Control Panel appears.
    plugin_cache1.jpg

    [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
    plugin_cache2.jpg

    [4] Click Delete Files.The Delete Temporary Files dialog box appears.
    plugin_cache3.jpg

    [5]. Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
    [6]. Click Apply> OK on Temporary Files Settings window.
Images courtesy java.com
 
OTM log:
All processes killed
========== FILES ==========
C:\Old backup sort\Program files\Sound Forge 8\Key_Generator.rar moved successfully.
File/Folder C:\Users\Melly\Downloads\neoragex06b.zip a not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Melly
->Temp folder emptied: 22462424 bytes
->Temporary Internet Files folder emptied: 1021467492 bytes
->Java cache emptied: 73705722 bytes
->FireFox cache emptied: 64944910 bytes
->Google Chrome cache emptied: 17970104 bytes
->Flash cache emptied: 208493 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Sol
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 53505180 bytes
->Java cache emptied: 23026440 bytes
->FireFox cache emptied: 40554831 bytes
->Flash cache emptied: 90298 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16156 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33239 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,257.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 08272011_143405

Files moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Combofix log
ComboFix 11-08-27.01 - Melly 08/27/2011 16:11:11.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1968 [GMT -7:00]
Running from: c:\users\Melly\Desktop\ComboFix.exe
Command switches used :: c:\users\Melly\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files\viewpoint\common\ViewpointService.exe"
"c:\program files\viewpoint\viewpoint media player\npViewpoint.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\hp\hp software update\HPWuSchd2.exe
c:\program files\viewpoint\common\ViewpointService.exe
c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
c:\windows\system32\comct332.ocx
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Viewpoint Manager Service
.
.
((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
.
.
2011-08-27 23:31 . 2011-08-27 23:31 -------- d-----w- c:\users\Sol\AppData\Local\temp
2011-08-27 23:31 . 2011-08-27 23:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-08-27 23:31 . 2011-08-27 23:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-27 22:23 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5B3E0B19-AC8B-47DE-9DA3-D86E21756BE9}\mpengine.dll
2011-08-27 21:34 . 2011-08-27 21:34 -------- d-----w- C:\_OTM
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-12 23:32 . 2011-05-26 16:51 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-07 02:52 . 2011-07-17 18:57 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2011-07-17 18:57 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-04 11:43 . 2011-01-29 02:33 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:43 . 2007-12-11 07:47 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-04 11:36 . 2011-07-16 04:09 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-04 11:36 . 2008-04-07 15:31 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-04 11:35 . 2007-12-11 07:48 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-04 11:32 . 2007-12-11 07:48 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-04 11:32 . 2007-12-11 07:47 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-07-04 11:32 . 2008-04-07 15:31 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"googletalk"="c:\users\Melly\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-09 26100520]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-10 2595792]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-10 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-10 136472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13584928]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 92704]
"avast! PDA Edition Updater"="c:\progra~1\ALWILS~1\AVAST!~1\aswPdaUp.exe" [2004-01-09 507904]
"DLinkMonitor.exe"="c:\program files\D-Link\D-Link USB VoIP Adapter\DLinkMonitor.exe" [2007-01-03 651264]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2569616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]
.
c:\users\Melly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Melly\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-07 41272]
R3 slusbvip;SL3800 USB Driver;c:\windows\system32\DRIVERS\slusbvip.sys [2007-01-02 591832]
R3 SLVAD_simple;D-Link Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [2007-01-02 85656]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
S0 TLRecAgent;TLRecAgent;c:\windows\system32\DRIVERS\TLRecAgent.sys [2007-01-02 37208]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104]
S2 VService;VService;c:\program files\D-Link\D-Link USB VoIP Adapter\VServ.exe [2007-01-02 105208]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-995884451-1569160325-2105184467-1000Core.job
- c:\users\Melly\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-11 21:32]
.
2011-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-995884451-1569160325-2105184467-1000UA.job
- c:\users\Melly\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-11 21:32]
.
2011-08-27 c:\windows\Tasks\User_Feed_Synchronization-{7953496C-BE4A-471F-B41C-02EF2517CB54}.job
- c:\windows\system32\msfeedssync.exe [2008-05-27 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&amp;source=iglk
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube to Mp3 Converter - c:\users\Melly\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
TCP: DhcpNameServer = 10.0.0.2
FF - ProfilePath - c:\users\Melly\AppData\Roaming\Mozilla\Firefox\Profiles\v0jkl18z.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-27 16:37
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3376)
c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-08-27 16:45:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-27 23:45
ComboFix2.txt 2011-07-27 03:08
.
Pre-Run: 161,262,227,456 bytes free
Post-Run: 163,266,035,712 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,11
- - End Of File - - 7705874390E307CDBA29F490144877A9

So when it came to removing Java and Adobe Reader I did not find the exact entries you referred to. I have these:

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 8.3.0
Java(TM) 6 Update 27
Java(TM) SE Runtime Environment 6 Update 1

Can you advise which ones I'm to remove?

I did ditch Viewpoint Media. There is no entry for Hijack This.

There is also a Java add-on for v26 in addition 27, FWIW. Should I get rid of that also?

I am not sure what you mean by :"You do not need to put a separate extension in Firefox when you update." I've let updates go automatically, I haven't done anything with extensions. Is that a setting somewhere?

I'm showing 46% space free on the hard drive. D is just a partition for factory restore..the computer came that way. I am trying to get it cleaned up but it's a very slow process since a low priority.

No idea what the SLTLINK\setup.exe is about. I know there's a pesky D-Link VOIP driver that I can't seem to get rid of, but may be completely unrelated.

Thank you for the help!
 
Keep Java(TM) 6 Update 27
Uninstall Java(TM) SE Runtime Environment 6 Update 1

Update the Adobe Reader to v10: Adobe Reader Update .
]Uninstall Adobe Reader 8.3.0

The others aren't applicable.
==========================================
The state of your system is shown here in OTM: Total Files Cleaned = 1,257.00 mb
No system will run decently with that many excess files!
==========================================
My last instructions were 2 weeks ago. I would have closed the thread after 5 days, but this one slipped by.
The thread was started on 7/16
The Combofixc span of "The Files Created is from 2011-07-27 to 2011-08-27
This is a kind way of saying the original logs are now outdated.
========================================
About this:
There is also a driver/program that I can't seem to uninstall that always occurs on bootup that annoys me, although it doesn't cause any major problems, other than probably adding a bit to boot time. I know HP loaded a bunch of junk..some of it I left as 'maybe someday I'll explore if this is useful' but of course never do. Right now I'd just like a clean-running system so getting rid of that would be fine..especially if that was the breach that allowed the infection (grr)..
Click to expand...
1. You identify the driver as to what it goes to, then you take that process off of startu.
2. HP does add a huge number of processes, including an auto-updater. Identify the processes as to what they do. IF you don't need them, uninstall them. None of the processes need to be on startup. Here's a start:
HP Active Support Library
HP Active Support Library 32 bit components
HP Advisor
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Picasso Media Center Add-In
HP Update
HPAsset component for HP Active Support Library
Click to expand...
3. I think this is the 'pesky driver' you're referring to:
S3 SLVAD_simple;D-Link Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [2009-1-5 85656]
[Version]
CatalogFile=slvad.cat
Signature="$CHICAGO$"
Class=MEDIA
Provider=%VoIPProvider%
ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}
DriverVer= 12/09/2005,1.12.06.00

[SourceDisksNames]
1=%DiskName%,"",,

[SourceDisksFiles]
slvad.sys=1
slvipgx.dll=1
slvipco.dll=1

[Manufacturer]
%MfgName%=MODEL_SECTION

[MODEL_SECTION]
%SLVAD_Simple.DeviceDesc%=SLVAD_Simple,{55280429-413E-460f-A31A-E19314823119}\VEN_2003&DEV_8800
%SLVAD_Simple.DeviceDesc%=SLVAD_Simple,{55280429-413E-460f-A31A-E19314823119}\VoIPAudio
Click to expand...
Remove it from startup and I'll remove this entry.

4. I can remove malware and from that point, you'll have a "clean running system." But unless you remove the junk you don't need/want/use, you will never have a 'well running system.'
 
I know your last instructions were longer ago, and I appreciate your continued help despite my delays. I'm working 3 jobs and finding time when I'm actually at home and can work on this is a bit difficult.

Feels like a stupid question, but I'm not sure where to access to remove things from Startup. I'm only aware of the ones in the "Startup" on the menu from the Start button..which only contains MS Office, Palm Hotsync, and Dropbox. And yes, that would be the driver I can't get rid of.

Thanks..
 
There's an excellent walk through using the msconfig utility to uncheck processes on the Startup Menu HERE
There are screen shots to help you through. I do like to make a change in one place> when you have finished with the UAC section, you'll get this screen:
vista_msconfig.gif

Image courtesy of netsquirrel.

Instead of checking Normal Startup like in the image, check Selective Startu instead.
When you boot the first time after making changes, you'll get a nag message about being in a diagnostic mode. Close the message> Check 'don't show message again.' Stay in Selective Startup to keep the changes.
---------------------------------------
The above should make it easier for you. The only things you must leave on the Startup Menu are the antivirus, firewall if using a 3rd party FW like Zone Alarm, the process for the touchpad if on a laptop and if you have Cisco/Pure Networks, usually 2 processes for it. All the rest is optional.

Some entries are also started by a registry entry or a Service set to Automatic. Both of those can also be modified. Just keep in mind that it's better to have less running than more and you can use All Programs to access. Many users put the printer/scanner on Startup- they don't need to be> clicking on File> Print will give you access on a screen that will allow you to choose the features you want.

Once you get the system cleaned up and running well, you'll have more time to enjoy it!

Let me know once you have decided what to take off of Startup and I'll remove the entries starting from the registry and tell you how to change a Service to Manual. This does not uninstall anything- it just stops the process from starting on boot.

Edit: Forgot to tell you to open Firefox> Tools> Addons> remove Java v6u23 and v6u26. Be sure you update the system to Java v6u27>> you do not have to add a separate Java entry to Firefox.
 
Hm, well that didn't get very far. Searching for msconfig results in 3 png files and msconfig.exe.vir.

It along with 3 other files are in a Quarantine folder by Combofix. comct332.ocx jusched.exe and searchindexer.exe. I assume the last explains why the search took so long as it told me the indexer was turned off.

More looking shows that quarantine is the reason I'm getting errors about the HPupdate as well.

I see you've got the SLTLINK stuff in there too - which looks to be related to the DLink VoIP adapter you were going to help me get rid of.

So is there something I'm supposed to do with Combofix to restore msconfig, or do I just change the extension and move the file back to the regular system32 folder?
 
I don't understand what you mean by this:
Searching for msconfig results in 3 png files and msconfig.exe.vir.
.png files are Portable Network Graphics, (.png) a bitmap image file format> images
.vir file extension is a file infected with a computer virus that has been renamed by an antivirus software program, such as Symantec's Norton AntiVirus or Avira AntiVir; the ".vir" extension is typically appended to the filename (i.e. program.exe → program.exe.vir) to indicate the file is a virus and to prevent it from being executed.
Click to expand...
-----------------------------------
I also don't understand where you found this or what the comment means:
It along with 3 other files are in a Quarantine folder by Combofix. comct332.ocx jusched.exe and searchindexer.exe
Click to expand...
comct332.ocx is a comct332 belonging to Microsoft Common Controls 3 Object Library from Microsoft Corporation
jusched.exe is the executable that starts the Sun Java Update Scheduler
searchindexer.exe is the Windows service that handles indexing of your files for Windows Search
All 3 of these files are legitimate processes. Any of them can be stopped, one way by including the entry in the script to run through Combofix. But it would be a delete not a quarantine.
When Combofix quarantines a file or folder, it send it to the Qoobox

Nor does this make sense:
More looking shows that quarantine is the reason I'm getting errors about the HPupdate as well.
Click to expand...
What errors are you getting?
-------------------
Go back to your last Combofix log and look at the beginning:
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\program files\hp\hp software update\HPWuSchd2.exe

The file is there because I had this entry in the script that you ran through Combofix. Script shows:
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe which I removed as I try to discourage auto-updates. This was in anticipation of you unchecking what I listed. However, if you did not uncheck the entry on Startup then you will get an error on boot because I removed it.
================================
If you can't bring up the utility as instructed, try this:
Be default, Windows Vista does not have RUN function in START menu. You can access RUN in two ways:
1. Press “Windows” and “R” keys simultaneously.
run.jpg

Type msconfig in the Open box> OK
or
2. Customize the START menu, taking these steps:
1. Right-click on the TASKBAR.
2. Select “PROPERTIES“
3. Check “Run command“.
4. Click OK.
So if you can clarify your comments, maybe I can guide you. All you have to do was bring up the msconfig utility. If you were trying to determine what an entry was for: look at the image below:
startupaf9.jpg


Do you see the >>>> to the left of the word 'location? There is a line to the right> hold your left mouse button down on the line and you will see a <->> move to the right to expand the Command column. that will show you what the entry is for.
 
Bobbye said:
I don't understand what you mean by this:

comct332.ocx is a comct332 belonging to Microsoft Common Controls 3 Object Library from Microsoft Corporation
jusched.exe is the executable that starts the Sun Java Update Scheduler
searchindexer.exe is the Windows service that handles indexing of your files for Windows Search
All 3 of these files are legitimate processes. Any of them can be stopped, one way by including the entry in the script to run through Combofix. But it would be a delete not a quarantine.
When Combofix quarantines a file or folder, it send it to the Qoobox
Click to expand...

I do have "Run" on my Start button but when I got the message that Windows couldn't find 'msconfig', I followed the instructions from the link you sent (to do a standard search) to try and find it. I got the 4 entries mentioned. The pngs appear to be icon images. The .vir is exactly as you describe - it seems I cannot access msconfig because Combofix moved it to quarantine (I make this assumption because its path is C/Qoobox/quarantine/C/Windows/System32.) When I opened up the containing folder, that's when I found the other legitimate processes appear to have been quarantined also. On further investigation, I found the "Combofix-quarantined-files.txt" which does specifically list msconfig, searchindexer, etc.:

2011-08-27 23:19:08 . 2011-08-27 23:19:08 1,602 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_Viewpoint Manager Service.reg.dat
2011-08-27 23:10:22 . 2011-08-27 23:10:22 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-07-27 03:07:35 . 2011-07-27 03:07:35 1,540 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Palm-DB-Tools_is1.reg.dat
2011-07-27 03:07:35 . 2011-07-27 03:07:35 710 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2011-07-27 03:06:56 . 2011-07-27 03:06:56 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-HotSync.reg.dat
2011-07-27 03:06:54 . 2011-07-27 03:06:54 79 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}.reg.dat
2011-07-27 03:06:53 . 2011-07-27 03:06:53 79 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Aim6.reg.dat
2011-07-27 01:56:25 . 2011-08-27 23:18:40 5,174 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-07-27 01:40:10 . 2011-08-27 23:10:22 175 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-07-16 03:57:30 . 2011-07-16 03:57:32 388,608 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\HijackThis.exe.vir
2009-03-19 08:07:25 . 2009-03-19 08:08:06 58 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLMSICA.ini.vir
2009-01-06 04:59:05 . 2009-03-19 08:08:06 1,618 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\SLExtBU\ivr.scp.vir
2009-01-06 04:59:05 . 2009-03-19 08:08:06 994 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\SLExtBU\Setup.scp.vir
2009-01-06 04:59:05 . 2009-03-19 08:08:06 3,303 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\slscp.log.vir
2009-01-06 04:57:53 . 2007-01-02 20:30:28 37,208 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\TLRecAgent.sys.vir
2009-01-06 04:57:53 . 2007-01-02 20:39:40 248,664 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slvipgx.dll.vir
2009-01-06 04:57:53 . 2007-01-02 20:40:56 150,368 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slvipco.dll.vir
2009-01-06 04:57:53 . 2007-01-02 20:38:40 85,656 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slvad.sys.vir
2009-01-06 04:57:53 . 2007-01-04 18:38:22 6,117 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slvad.inf.vir
2009-01-06 04:57:53 . 2007-01-02 21:16:28 8,991 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slvad.cat.vir
2009-01-06 04:57:53 . 2007-01-02 20:31:28 591,832 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.sys.vir
2009-01-06 04:57:53 . 2007-01-04 18:38:06 8,758 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.inf.vir
2009-01-06 04:57:53 . 2007-01-02 21:16:26 8,572 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.cat.vir
2009-01-06 04:57:53 . 2007-01-03 22:58:32 2,280 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\Setup.scp.vir
2009-01-06 04:57:53 . 2007-01-04 18:43:44 4,421,120 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\Setup.MSI.vir
2009-01-06 04:57:53 . 2009-01-06 04:57:09 563,960 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\Setup.exe.vir
2009-01-06 04:57:53 . 2007-01-04 18:39:46 9,395 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\readme.txt.vir
2009-01-06 04:57:53 . 2006-07-04 18:42:22 1,841 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\Ivr.scp.vir
2009-01-06 04:57:53 . 2005-04-05 23:01:30 46 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\autorun.inf.vir
2008-08-15 19:02:32 . 2008-05-27 05:18:43 439,808 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\searchindexer.exe.vir
2008-05-27 21:07:59 . 2008-01-19 07:33:16 227,840 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\msconfig.exe.vir
2008-05-10 03:00:41 . 1996-07-19 18:19:08 74,752 ----a-w- C:\Qoobox\Quarantine\C\Windows\system\MSVCIRT.DLL.vir
2008-05-10 03:00:41 . 1996-06-19 23:21:32 76,048 ----a-w- C:\Qoobox\Quarantine\C\Windows\system\olepro32.dll.vir
2008-01-04 19:40:17 . 2007-01-04 21:38:08 24,652 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Viewpoint\Common\ViewpointService.exe.vir
2008-01-04 19:39:28 . 2007-04-16 17:07:12 180,293 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll.vir
2007-08-24 18:58:39 . 2007-04-07 09:56:47 132,760 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\jusched.exe.vir
2007-05-08 23:24:20 . 2007-05-08 23:24:20 54,840 ----a-w- C:\Qoobox\Quarantine\C\Program Files\HP\HP Software Update\HPWuSchd2.exe.vir
2000-12-06 20:01:52 . 2000-12-06 20:01:52 415,176 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\comct332.ocx.vir
1970-01-01 00:00:00 . 2008-06-04 17:24:38 497,664 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL0003.tmp.vir
1970-01-01 00:00:00 . 2008-06-10 16:34:51 500,736 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL0575.tmp.vir
1970-01-01 00:00:00 . 2008-05-06 00:52:43 446,976 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL1064.tmp.vir
1970-01-01 00:00:00 . 2008-05-07 22:30:03 449,024 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL1660.tmp.vir
1970-01-01 00:00:00 . 2009-04-05 21:47:23 644,096 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL2540.tmp.vir
1970-01-01 00:00:00 . 2008-05-07 23:06:12 448,512 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL2931.tmp.vir
1970-01-01 00:00:00 . 2008-05-07 22:29:07 449,024 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL3727.tmp.vir


I have no explanation for why the files in question are in quarantine when they are legitimate files and I have no explanation why they are in quarantine rather than deleted as you suggest they would have been if it was Combofix's doing. I've only used it as you've instructed me.

The error I'm getting is Error 1720: Windows Installer Package script could not run. I can click ok or cancel and this message pops up multiple times before going away.

Go back to your last Combofix log and look at the beginning:
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\program files\hp\hp software update\HPWuSchd2.exe

The file is there because I had this entry in the script that you ran through Combofix. Script shows:
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe which I removed as I try to discourage auto-updates. This was in anticipation of you unchecking what I listed. However, if you did not uncheck the entry on Startup then you will get an error on boot because I removed it.
Click to expand...

If you are talking about unchecking it in the startup processes...I will do that..as soon as I can access msconfig to do so!


If you can't bring up the utility as instructed, try this:
3. Check “Run command“.
4. Click OK.
So if you can clarify your comments, maybe I can guide you. All you have to do was bring up the msconfig utility. If you were trying to determine what an entry was for: look at the image below:
Click to expand...

This was the first thing I tried, but again, it was unsuccessful as it appears it was quarantined by Combofix. I am able to pull up msconfig and disable startup processes on my laptop just fine, so I don't think I will have trouble using it..once I can access it.

So, it appears the next step is to get msconfig and the other legitimate processes out of the Qoobox quarantine and back to where they 'should' be so I can use them. How do I do that?
 
Did you notice the date in the Qoobox files for the entries you're concerned about?

First:
2008-05-27 21:07:59 . 2008-01-19 07:33:16 227,840 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\msconfig.exe.vir[/b]
Second:
2008-08-15 19:02:32 . 2008-05-27 05:18:43 439,808 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\searchindexer.exe.vir
Third:
2007-08-24 18:58:39 . 2007-04-07 09:56:47 132,760 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\jusched.exe.vir
Fourth:
2000-12-06 20:01:52 . 2000-12-06 20:01:52 415,176 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\comct332.ocx.vir1

How can you even have a Qoobox on the system with files this old? When Combofix is uninstalled correctly< it removed the logs and the backups!
======================================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
msconfig*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Bobbye said:
Did you notice the date in the Qoobox files for the entries you're concerned about?
Click to expand...

Well, considering the Windows Updater is broken, I'm not sure I could expect them to be much newer..(Comct..not sure about. That file is clearly older than the computer itself.)

How can you even have a Qoobox on the system with files this old? When Combofix is uninstalled correctly< it removed the logs and the backups!
Click to expand...

I get it..my computer is old and most people would have replaced it by now..but I can't afford that. Was I supposed to uninstall it? I don't remember seeing that in your instructions.


SystemLook 30.07.11 by jpshortstuff
Log created at 18:58 on 16/09/2011 by Melly
Administrator - Elevation successful

========== filefind ==========

Searching for "msconfig*"
C:\Qoobox\Quarantine\C\Windows\System32\msconfig.exe.vir --a---- 227840 bytes [21:07 27/05/2008] [07:33 19/01/2008] 7629E9BB2FF06EACA62580A2C1D4FE6A
C:\Users\Melly\AppData\Roaming\Microsoft\Windows\Recent\msconfig.exe.vir.lnk --a---- 3923 bytes [17:40 05/09/2011] [17:40 05/09/2011] 10FB6658506EB97A2ABB82CDFD57AFC2
C:\Users\Melly\AppData\Roaming\Microsoft\Windows\Recent\msconfig.png.lnk --a---- 3736 bytes [17:41 05/09/2011] [17:41 05/09/2011] E80E6A15374D6BF0A04AF5DC2D2CC5CD
C:\Windows\System32\en-US\msconfig.exe.mui --a---- 28672 bytes [12:40 02/11/2006] [12:40 02/11/2006] 7DDB709C73A1EB0E27D3EE5DD60BC980
C:\Windows\winsxs\x86_microsoft-windows-msconfig-exe.resources_31bf3856ad364e35_6.0.6000.16386_en-us_75e9bb24559d44f2\msconfig.exe.mui --a---- 28672 bytes [12:40 02/11/2006] [12:40 02/11/2006] 7DDB709C73A1EB0E27D3EE5DD60BC980
C:\Windows\winsxs\x86_microsoft-windows-msconfig-exe_31bf3856ad364e35_6.0.6000.16386_none_d8437c87a0d4ffbd\msconfig.exe --a---- 222208 bytes [08:35 02/11/2006] [09:45 02/11/2006] 1BB128A09911A936E8EFC30C3F6C597C
C:\Windows\winsxs\x86_microsoft-windows-msconfig-exe_31bf3856ad364e35_6.0.6001.18000_none_da7a3e839dc01091\msconfig.exe --a---- 227840 bytes [21:07 27/05/2008] [07:33 19/01/2008] 7629E9BB2FF06EACA62580A2C1D4FE6A

-= EOF =-
 
Let's clear some things up:

I said the Qoobox entries were old> did not say nor did I infer that your computer was old and should be replaced. But I did make a reference to the great number of files that were cleaned up in OTM> And computers that have been used for several years require good maintenance if you want to be able to run the system at all.

The only Qoobox entries from the Combofix run I had you do are these:
2011-08-27 23:19:08 . 2011-08-27 23:19:08 1,602 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_Viewpoint Manager Service.reg.dat
2011-08-27 23:10:22 . 2011-08-27 23:10:22 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-07-27 03:07:35 . 2011-07-27 03:07:35 1,540 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Palm-DB-Tools_is1.reg.dat
2011-07-27 03:07:35 . 2011-07-27 03:07:35 710 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2011-07-27 03:06:56 . 2011-07-27 03:06:56 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-HotSync.reg.dat
2011-07-27 03:06:54 . 2011-07-27 03:06:54 79 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}.reg.dat
2011-07-27 03:06:53 . 2011-07-27 03:06:53 79 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Aim6.reg.dat
2011-07-27 01:56:25 . 2011-08-27 23:18:40 5,174 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-07-27 01:40:10 . 2011-08-27 23:10:22 175 ----a-w- C:\Qoobox\Quarantine\catchme.log
Click to expand...

And there is one from when you 'dabbled in the Registry' with no backup:
2011-07-16 03:57:32 388,608 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\HijackThis.exe.vir
Click to expand...

The infected msconfig file was removed 3 years ago:
2008-01-19 07:33:16 227,840 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\msconfig.exe.vir

I get it..my computer is old and most people would have replaced it by now..but I can't afford that. Was I supposed to uninstall it? I don't remember seeing that in your instructions.
Click to expand...
The instructions were as follows:
Post #4- 07-20-2011
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

* Click START> then RUN
* Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Click to expand...
Click to expand...

Those of us who help in these forums do our best to warn users not to use Combofix unless instructed to by their helper> It is clear that you have run Combofix numerous times during the years and that with help or without it, it has not been uninstalled properly as that would have removed the logs and the backups the program created.

I tried to bring your attention to the date for these files in the Qoobox:
Did you notice the date in the Qoobox files for the entries you're concerned about?
First:
2008-05-27 21:07:59 . 2008-01-19 07:33:16 227,840 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\msconfig.exe.vir[/b]
Second:
2008-08-15 19:02:32 . 2008-05-27 05:18:43 439,808 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\searchindexer.exe.vir
Third:
2007-08-24 18:58:39 . 2007-04-07 09:56:47 132,760 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\jusched.exe.vir
Fourth:
2000-12-06 20:01:52 . 2000-12-06 20:01:52 415,176 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\comct332.ocx.vir1
Click to expand...
None of the dates above are from the current running of Combofix> and because you never uninstalled Combofix after all those runs< the files in the qiibox continued to show.
================================================
If you want to continue, you can try running the SFC:
System File Checker SFC
  1. Locate your Windows vista installation CD. If you don't have one, you'll need to locate a directory on your system that's named i386. This directory may be on a hidden partition on your hard drive.
  2. Go to Start> Run> type in SFC.EXE /SCANNOW (with a space between the SFC.EXE and the /SCANNOW).>
  3. Go to the top of the box and right click on SFC.EXE /SCANNOW and select "Run As Administrator")> enter
  4. The program may (or it may not) ask you for your Windows Vista installation CD - please insert it at the prompt. If it doesn't ask you for the CD this means that it wasn't necessary to replace any files.
  5. If SFC asks you for the CD, you can get Windows Update immediately after the scan is completed (Please note that there won't be any confirmation dialog - the program will just exit without telling you anything).
  6. If this doesn't repair the problem with your system other troubleshooting procedures are required.
 
Bobbye said:
Let's clear some things up:

And there is one from when you 'dabbled in the Registry' with no backup:
Click to expand...
How do you know the dabbled registry had anything to do with Hijack This? As far as I knew, it didn't; it was a thread purely about HP update and the article wouldn't know whether I had HijackThis installed. (Not saying you're wrong, just surprised that that would be it).


Those of us who help in these forums do our best to warn users not to use Combofix unless instructed to by their helper> It is clear that you have run Combofix numerous times during the years and that with help or without it, it has not been uninstalled properly as that would have removed the logs and the backups the program created.

I tried to bring your attention to the date for these files in the Qoobox:

None of the dates above are from the current running of Combofix> and because you never uninstalled Combofix after all those runs< the files in the qiibox continued to show.
Click to expand...

OK, how about some additional clarification:
I have never even heard of Combofix before you told me to install it. I have no explanation for the dates on the log and didn't even know they were delete dates rather than install dates or something. IF I had Combofix on my computer at any time prior to you telling me to install it, I have no idea how it got there, and I certainly wasn't running it. I am by no means purposely ignoring your instructions and doing my best to follow them step for step, but I can't uninstall something that I didn't know existed.

So how do the date entries get created? I did not even OWN this computer until about 2007 or so, and as you pointed out, one of the dates is from 2000...what explanation is there for these dates when I have in actuality never run the program before and didn't even own the computer then?


How long does this SFC scan take? I run it and get a blip of a window on the screen and then nothing.
 
I don't think that you are interested in continuing support. You started this thread 2 and a half months ago. You are a bit combative to what I suggest. It appears that when you got the computer 4 years ago, it had not be cleaned up by the previous owner.

The best thing for you to do at this point is to reformat and reinstall the operating system.

You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

I'm sorry I couldn't be of more help.
 
Status
Not open for further replies.

Similar threads

midian182
HP Smart app mysteriously appears on non-HP Windows PCs
Replies
1
Views
304
Mark Fuller
M
midian182
  • Locked
Russia slams HP for closing local website, claims world is boycotting the company
2
Replies
34
Views
501
thehacker
T
midian182
HP executive boasts that its controversial ink subscription model is "locking" in customers
Replies
20
Views
664
jackhackett
J

Latest posts

Back