TechSpot

[Closed] HP Vista will not install updates..hijack this log

By MellyJC
Jul 16, 2011
Topic Status:
Not open for further replies.
  1. My computer has had problems for a while now that the updater won't run/dies. Running Vista Home Premium. It is now up to "Installing 1 of 75" upon shutdown however it always hangs and never gets past the first update even if I let it sit for 24 hours. I've tried installing different updates in different order to try to get *something* to stick without success. Occasionally when running, I will get a message that the updater stopped working. Of course the fix for this is....updates.

    I've just recently been clued in that this could be caused by an HP ActiveX security flaw. http://www.theregister.co.uk/2008/06/04/hp_support_app_multiple_vulns/

    I've attempted to kill the registry per the instructions. Regardless of whether that's enough (I've only rebooted into safe mode since then, it hasn't tried to install updates) I want to clean things up.

    My hijack this log isn't pretty..thought I'd come to the pros before trying to clean anything. Please take a look and advise accordingly. I'd given up long ago on trying to get this machine running decently, but if it's possible now I'd love to. Hard-killing it every time it tries to update is not my preference.

    Thank you!

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry to hear you dabbled in the Registry! Did you make a back up first?

    Failed updates can have several causes, malware being only one of them. I'll be glad to check the system for malware but we do not use HijackThis to 'screen' for malware.

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ====================================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  3. MellyJC

    MellyJC TS Rookie Topic Starter Posts: 51

    Thank you!

    Ultimate sin, I know - did not make a fresh backup, kind of relying on an old one before registry dabbling. I could make excuses but won't do it again..following instructions now.

    Now that I am actually on this computer again and seeing some of the archaic things on it I'm wondering if a format and reinstall may be the best option...will await your thoughts/advice.

    Here are my logs:

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7176

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 7.0.6001.18000

    7/17/2011 12:15:08 PM
    mbam-log-2011-07-17 (12-15-08).txt

    Scan type: Quick scan
    Objects scanned: 190885
    Time elapsed: 9 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56} (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ***** Small note, I ran GMER and assume it finished, but never got a message saying the scan was complete. Should I have? *****

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-07-17 12:45:23
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\00000055 ST336032 rev.3.CH
    Running: GMER.exe; Driver: C:\Users\Melly\AppData\Local\Temp\pgldrpob.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x90E29398]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----

    DDS (Ver_2011-07-14.01) - NTFS_x86
    Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_23
    Run by Melly at 13:11:03 on 2011-07-17
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1967 [GMT -7:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\rundll32.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\D-Link\D-Link USB VoIP Adapter\VServ.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Windows\system32\schtasks.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\palmOne\Hotsync.exe
    C:\Users\Melly\AppData\Local\Google\Update\1.3.21.57\GoogleCrashHandler.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Windows\system32\taskeng.exe
    C:\hp\kbd\kbd.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Windows\system32\ctfmon.exe
    C:\Windows\system32\taskeng.exe
    C:\Users\Melly\Downloads\GMER.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
    BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Aim6] <no file>
    mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [KBD] c:\hp\kbd\KbdStub.EXE
    mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
    mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
    mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
    mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [avast! PDA Edition Updater] c:\progra~1\alwils~1\avast!~1\aswPdaUp.exe
    mRun: [DLinkMonitor.exe] c:\program files\d-link\d-link usb voip adapter\DLinkMonitor.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
    mRunOnce: [Launcher] c:\windows\sminst\launcher.exe
    StartupFolder: c:\users\melly\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\melly\appdata\roaming\dropbox\bin\Dropbox.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: Free YouTube to Mp3 Converter - c:\users\melly\appdata\roaming\dvdvideosoftiehelpers\youtubetomp3.htm
    IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    TCP: NameServer = 10.0.0.2
    TCP: Interfaces\{52E9304E-D1AC-4A0F-8EAC-7C57EE548287} : DHCPNameServer = 10.0.0.2
    Handler: ipp - <Clsid value has no data>
    Handler: msdaipp - <Clsid value has no data>
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
    LSA: Authentication Packages = msv1_0 relog_ap
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\windows mail\WinMail.exe" OCInstallUserConfigOE
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\melly\appdata\roaming\mozilla\firefox\profiles\v0jkl18z.default\
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
    FF - plugin: c:\progra~1\palmone\packag~1\NPInstal.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - plugin: c:\users\melly\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\users\melly\appdata\roaming\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\users\melly\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 TLRecAgent;TLRecAgent;c:\windows\system32\drivers\TLRecAgent.sys [2009-1-5 37208]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-15 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-7 309848]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-7 19544]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2007-12-11 54104]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-22 42184]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-4 24652]
    R2 VService;VService;c:\program files\d-link\d-link usb voip adapter\VServ.exe [2007-1-2 105208]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-17 41272]
    S3 slusbvip;SL3800 USB Driver;c:\windows\system32\drivers\slusbvip.sys [2009-1-5 591832]
    S3 SLVAD_simple;D-Link Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [2009-1-5 85656]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-5-27 16896]
    .
    =============== File Associations ===============
    .
    ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~3\office\FRONTPG.EXE
    .
    =============== Created Last 30 ================
    .
    2011-07-17 18:57:23 -------- d-----w- c:\users\melly\appdata\roaming\Malwarebytes
    2011-07-17 18:57:17 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-17 18:57:16 -------- d-----w- c:\programdata\Malwarebytes
    2011-07-17 18:57:13 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-17 18:57:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-16 04:09:23 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-07-16 03:57:30 388608 ----a-w- c:\users\melly\HijackThis.exe
    2011-07-16 03:05:50 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1b82c615-5162-4ed8-ac70-ce3b28c0e595}\mpengine.dll
    .
    ==================== Find3M ====================
    .
    2011-07-12 23:32:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-04 11:43:53 40112 ----a-w- c:\windows\avastSS.scr
    2011-07-04 11:32:20 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-05-25 02:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    ============= FINISH: 13:11:37.74 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-07-14.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 10/10/2007 11:04:36 AM
    System Uptime: 7/17/2011 12:51:10 PM (1 hours ago)
    .
    Motherboard: ECS | | Nettle2
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket M2 | 2200/201mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 327 GiB total, 68.219 GiB free.
    D: is FIXED (NTFS) - 9 GiB total, 1.191 GiB free.
    E: is CDROM ()
    G: is Removable
    H: is Removable
    I: is FIXED (NTFS) - 190 GiB total, 49.532 GiB free.
    J: is Removable
    K: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    3ivx D4 4.5.1 Decoder (remove only)
    Acronis*True*Image*Home
    ActiveCheck component for HP Active Support Library
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Media Player
    Adobe Reader 8.1.7
    AIM 6
    Allway Sync version 9.4.11
    Amazon MP3 Downloader 1.0.3
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    avast! Free Antivirus
    avast! PDA Edition
    Bonjour
    Canon iP1800 series
    Canon My Printer
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities Solution Menu
    Codejedi Inc Shadow Plan for PalmOS
    D-Link USB VoIP Adapter
    Diablo II
    Dropbox
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    Enhanced Multimedia Keyboard Solution
    firstobject XML Editor version 2.3.2
    Free Audio CD Burner version 1.4
    Free YouTube to MP3 Converter version 3.7
    Garmin Training Center v5
    Garmin WebUpdater
    Google Chrome
    Google Talk (remove only)
    Google Talk Plugin
    HijackThis 2.0.0
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Active Support Library 32 bit components
    HP Advisor
    HP Customer Experience Enhancements
    HP Customer Feedback
    HP Easy Setup - Frontend
    HP On-Screen Cap/Num/Scroll Lock Indicator
    HP Photosmart Essential 2.01
    HP Photosmart Essential2.01
    HP Picasso Media Center Add-In
    HP Update
    HPAsset component for HP Active Support Library
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 23
    Java(TM) SE Runtime Environment 6 Update 1
    Juniper Networks Network Connect 6.5.0
    Juniper Networks Setup Client
    Juniper Networks Setup Client Activex Control
    Kurso de Esperanto 3
    LightScribe 1.6.45.1
    LJ Comment Stats Wizard 1.7
    ljArchive
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office 2000 Premium
    Microsoft Office Home and Student 60 day trial
    Microsoft Silverlight
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Mozilla Firefox (3.6.18)
    MRIcroN (remove only)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    muvee autoProducer 6.0
    My HP Games
    Myst III EXILE Patch 1.22
    Myst III: Exile
    Myst IV - Revelation
    neroxml
    Netflix Movie Viewer
    NVIDIA Drivers
    NVIDIA PhysX v8.09.04
    Paint.NET v3.31
    Palm-DB-Tools 0.3.6
    Palm Desktop by ACCESS
    Pilot-DB 1.1.3
    Plucker 1.6
    PSSWCORE
    Python 2.5
    QuickTime
    Realtek High Definition Audio Driver
    Rhapsody Player Engine
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator Basic v9
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator EasyArchive
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio MyDVD Basic v9
    Security Update for CAPICOM (KB931906)
    Simplify Media
    Skype Toolbars
    Skype™ 4.2
    Snapfish Picture Mover
    Soft Data Fax Modem with SmartCP
    SportTracks 2.1
    TeLL me More CJ
    The Journey to Wild Divine
    Uninstall 1.0.0.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VideoToolkit01
    Viewpoint Media Player
    WeatherBug Gadget
    Windows Live installer
    Windows Live Sign-in Assistant
    WinZip 15.0
    Yahoo! Messenger
    Yahoo! Search Protection
    Zoom ADSL Modem
    .
    ==== End Of File ===========================
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    GMER is okay. You can see the EOF (end of file) at the end.

    When you mention updates, I took this to be referring to Windows update- is that correct?
    ==================================================
    Please run the following: I will give you script after you have run Combofix to remove some entries:
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==============================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =====================================
    Remind me when we're finished to give you a list of the HP entries. You should check what they do and remove any you're not using. HP, like other computer manufacturers, preload a lot of processes. I have found that most users don know this, don't use most of the processes and don't realize they can remove the processes from Startup and uninstall what they don't use.
    ==============================================
  5. MellyJC

    MellyJC TS Rookie Topic Starter Posts: 51

    Hi,

    Yes, I'm referring to the Windows Updates that don't occur. There is also a driver/program that I can't seem to uninstall that always occurs on bootup that annoys me, although it doesn't cause any major problems, other than probably adding a bit to boot time. I know HP loaded a bunch of junk..some of it I left as 'maybe someday I'll explore if this is useful' but of course never do. Right now I'd just like a clean-running system so getting rid of that would be fine..especially if that was the breach that allowed the infection (grr)..

    ComboFix 11-07-26.03 - Melly 07/26/2011 18:47:06.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1684 [GMT -7:00]
    Running from: c:\users\Melly\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\progra~1\COMMON~1\{525D3~1
    c:\progra~1\COMMON~1\{525D3~1\SLMSICA.ini
    c:\progra~1\COMMON~1\{525D3~1\slscp.log
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\autorun.inf
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Ivr.scp
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\readme.txt
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Setup.exe
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Setup.MSI
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Setup.scp
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\SLExtBU\ivr.scp
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\SLExtBU\Setup.scp
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.cat
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.inf
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.sys
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvad.cat
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvad.inf
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvad.sys
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvipco.dll
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\slvipgx.dll
    c:\progra~1\COMMON~1\{525D3~1\SLTLINK\TLRecAgent.sys
    c:\users\Melly\AppData\Roaming\.#
    c:\users\Melly\Documents\~WRL0003.tmp
    c:\users\Melly\Documents\~WRL0575.tmp
    c:\users\Melly\Documents\~WRL1064.tmp
    c:\users\Melly\Documents\~WRL1660.tmp
    c:\users\Melly\Documents\~WRL2540.tmp
    c:\users\Melly\Documents\~WRL2931.tmp
    c:\users\Melly\Documents\~WRL3727.tmp
    c:\users\Melly\HijackThis.exe
    c:\windows\system\MSVCIRT.DLL
    c:\windows\system\olepro32.dll
    c:\windows\system32\jusched.exe
    c:\windows\system32\msconfig.exe
    c:\windows\system32\searchindexer.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-27 to 2011-07-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-27 02:01 . 2011-07-27 02:01 -------- d-----w- c:\users\Sol\AppData\Local\temp
    2011-07-27 02:01 . 2011-07-27 02:01 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-07-27 01:43 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{44B5D35C-7491-4446-99DD-66AD024DEEB3}\mpengine.dll
    2011-07-17 18:57 . 2011-07-17 18:57 -------- d-----w- c:\users\Melly\AppData\Roaming\Malwarebytes
    2011-07-17 18:57 . 2011-07-07 02:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-17 18:57 . 2011-07-17 18:57 -------- d-----w- c:\programdata\Malwarebytes
    2011-07-17 18:57 . 2011-07-17 18:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-17 18:57 . 2011-07-07 02:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-16 04:09 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-12 23:32 . 2011-05-26 16:51 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-04 11:43 . 2011-01-29 02:33 40112 ----a-w- c:\windows\avastSS.scr
    2011-07-04 11:43 . 2007-12-11 07:47 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-07-04 11:36 . 2008-04-07 15:31 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-07-04 11:35 . 2007-12-11 07:48 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-07-04 11:32 . 2007-12-11 07:48 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-07-04 11:32 . 2007-12-11 07:47 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-07-04 11:32 . 2008-04-07 15:31 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-05-25 02:14 . 2009-10-03 08:10 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-04 11:52 . 2010-12-19 20:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "googletalk"="c:\users\Melly\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
    "Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-09 26100520]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
    "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
    "SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-10 2595792]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-10 909208]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-10 136472]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13584928]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 92704]
    "avast! PDA Edition Updater"="c:\progra~1\ALWILS~1\AVAST!~1\aswPdaUp.exe" [2004-01-09 507904]
    "DLinkMonitor.exe"="c:\program files\D-Link\D-Link USB VoIP Adapter\DLinkMonitor.exe" [2007-01-03 651264]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2569616]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]
    .
    c:\users\Melly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Melly\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    "AntiSpywareOverride"=dword:00000001
    .
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-07 41272]
    R3 slusbvip;SL3800 USB Driver;c:\windows\system32\DRIVERS\slusbvip.sys [2007-01-02 591832]
    R3 SLVAD_simple;D-Link Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [2007-01-02 85656]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
    S0 TLRecAgent;TLRecAgent;c:\windows\system32\DRIVERS\TLRecAgent.sys [2007-01-02 37208]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104]
    S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    S2 VService;VService;c:\program files\D-Link\D-Link USB VoIP Adapter\VServ.exe [2007-01-02 105208]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-995884451-1569160325-2105184467-1000Core.job
    - c:\users\Melly\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-11 21:32]
    .
    2011-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-995884451-1569160325-2105184467-1000UA.job
    - c:\users\Melly\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-11 21:32]
    .
    2011-07-27 c:\windows\Tasks\User_Feed_Synchronization-{7953496C-BE4A-471F-B41C-02EF2517CB54}.job
    - c:\windows\system32\msfeedssync.exe [2008-05-27 07:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig?hl=en&amp;source=iglk
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    IE: Free YouTube to Mp3 Converter - c:\users\Melly\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
    IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
    TCP: DhcpNameServer = 10.0.0.2
    FF - ProfilePath - c:\users\Melly\AppData\Roaming\Mozilla\Firefox\Profiles\v0jkl18z.default\
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-Aim6 - (no file)
    HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
    HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
    AddRemove-HijackThis - c:\users\Melly\Documents\HijackThis.exe
    AddRemove-Palm-DB-Tools_is1 - c:\users\Melly\Documents\Palm OS Desktop\pdbtools\unins000.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-26 20:04
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(3332)
    c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Juniper Networks\Common Files\dsNcService.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-26 20:08:13 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-27 03:08
    .
    Pre-Run: 76,742,868,992 bytes free
    Post-Run: 76,170,231,808 bytes free
    .
    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 32CC890797D12F640C2F56202DD62CAC

    ESET log:
    C:\Old backup sort\Program files\Sound Forge 8\Key_Generator.rar a variant of Win32/Keygen.AQ application
    C:\Users\Melly\Downloads\neoragex06b.zip a variant of Win32/Packed.PECrypt32.A application
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'm very sorry- I didn't get the email feedback notice of a reply. That's two that didn't get through!

    For Eset: Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\Old backup sort\Program files\Sound Forge 8\Key_Generator.rar 
      C:\Users\Melly\Downloads\neoragex06b.zip a
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =======================================
    I don't know just what kind of directory this is>> C:\Old backup sort\Program files... but it has a pirated copy of a $400 program in it: Sound Forge 8. This program removed the malware. Please remove the pirated program.
    ========================================
    Regarding your question about the ecompletion of GMER, this means the end> ---- EOF - GMER 1.0.15 ----. EOF=end of file.
    =======================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it: Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\program files\viewpoint\common\ViewpointService.exe
    Extra::
    File::
    c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    Firefox:: 
    Firefox-: - Profile- c:\users\melly\appdata\roaming\mozilla\firefox\profiles\v0jkl18z.default\
    DDS::
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    uRun: [Aim6] <no file>
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    Handler: ipp - <Clsid value has no data>
    Handler: msdaipp - <Clsid value has no data>
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=-
    "AntiSpywareOverride"=
    Driver::
    Viewpoint Manager Service
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    1. Please update Java: Java Updates
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    2. Please update Adobe Reader: Adobe Reader site
    3. When finished go to Add/Remove Programs in the Control Panel and uninstall the following:
    HijackThis v2.0.0
    Adobe Reader 8.1.7
    Java v6u23
    Viewpoint>> any of the following programs associated with Viewpoint
    [o] Viewpoint Manager
    [o] Viewpoint Media Player
    [o] Viewpoint Toolbar
    4. Open Firefox: Tools> Addons> Remove Java v6u23
    Note: You do not need to put a separate extension in Firefox when you update.
    ====================================================
    Note: You should have as close as possible to 80% free on the hard drive. With the 2 drive you have, you have only 20%. So get rid of what you don't, set up a good maintenance schedule and don't pirate any more programs or apps.

    See one more step in next rely.

    Do you know what this entry is? c:\progra~1\COMMON~1\{525D3~1\SLTLINK\Setup.exe
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    With an outdated Java, chances are good that there will be some bad entries in the Java cache, so you need to empty it:

    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
  8. MellyJC

    MellyJC TS Rookie Topic Starter Posts: 51

    OTM log:
    All processes killed
    ========== FILES ==========
    C:\Old backup sort\Program files\Sound Forge 8\Key_Generator.rar moved successfully.
    File/Folder C:\Users\Melly\Downloads\neoragex06b.zip a not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Melly
    ->Temp folder emptied: 22462424 bytes
    ->Temporary Internet Files folder emptied: 1021467492 bytes
    ->Java cache emptied: 73705722 bytes
    ->FireFox cache emptied: 64944910 bytes
    ->Google Chrome cache emptied: 17970104 bytes
    ->Flash cache emptied: 208493 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Sol
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 53505180 bytes
    ->Java cache emptied: 23026440 bytes
    ->FireFox cache emptied: 40554831 bytes
    ->Flash cache emptied: 90298 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16156 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33239 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 1,257.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 08272011_143405

    Files moved on Reboot...
    File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    Combofix log
    ComboFix 11-08-27.01 - Melly 08/27/2011 16:11:11.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1968 [GMT -7:00]
    Running from: c:\users\Melly\Desktop\ComboFix.exe
    Command switches used :: c:\users\Melly\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\program files\viewpoint\common\ViewpointService.exe"
    "c:\program files\viewpoint\viewpoint media player\npViewpoint.dll"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\hp\hp software update\HPWuSchd2.exe
    c:\program files\viewpoint\common\ViewpointService.exe
    c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    c:\windows\system32\comct332.ocx
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_Viewpoint Manager Service
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-27 23:31 . 2011-08-27 23:31 -------- d-----w- c:\users\Sol\AppData\Local\temp
    2011-08-27 23:31 . 2011-08-27 23:31 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-08-27 23:31 . 2011-08-27 23:31 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-08-27 22:23 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5B3E0B19-AC8B-47DE-9DA3-D86E21756BE9}\mpengine.dll
    2011-08-27 21:34 . 2011-08-27 21:34 -------- d-----w- C:\_OTM
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-12 23:32 . 2011-05-26 16:51 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-07 02:52 . 2011-07-17 18:57 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-07 02:52 . 2011-07-17 18:57 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-04 11:43 . 2011-01-29 02:33 40112 ----a-w- c:\windows\avastSS.scr
    2011-07-04 11:43 . 2007-12-11 07:47 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-07-04 11:36 . 2011-07-16 04:09 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-07-04 11:36 . 2008-04-07 15:31 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-07-04 11:35 . 2007-12-11 07:48 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-07-04 11:32 . 2007-12-11 07:48 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-07-04 11:32 . 2007-12-11 07:47 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-07-04 11:32 . 2008-04-07 15:31 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "googletalk"="c:\users\Melly\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
    "Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-09 26100520]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
    "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
    "SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-10 2595792]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-10 909208]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-10 136472]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13584928]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 92704]
    "avast! PDA Edition Updater"="c:\progra~1\ALWILS~1\AVAST!~1\aswPdaUp.exe" [2004-01-09 507904]
    "DLinkMonitor.exe"="c:\program files\D-Link\D-Link USB VoIP Adapter\DLinkMonitor.exe" [2007-01-03 651264]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2569616]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]
    .
    c:\users\Melly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Melly\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    "AntiSpywareOverride"=dword:00000001
    .
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-07 41272]
    R3 slusbvip;SL3800 USB Driver;c:\windows\system32\DRIVERS\slusbvip.sys [2007-01-02 591832]
    R3 SLVAD_simple;D-Link Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [2007-01-02 85656]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
    S0 TLRecAgent;TLRecAgent;c:\windows\system32\DRIVERS\TLRecAgent.sys [2007-01-02 37208]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104]
    S2 VService;VService;c:\program files\D-Link\D-Link USB VoIP Adapter\VServ.exe [2007-01-02 105208]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-995884451-1569160325-2105184467-1000Core.job
    - c:\users\Melly\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-11 21:32]
    .
    2011-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-995884451-1569160325-2105184467-1000UA.job
    - c:\users\Melly\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-11 21:32]
    .
    2011-08-27 c:\windows\Tasks\User_Feed_Synchronization-{7953496C-BE4A-471F-B41C-02EF2517CB54}.job
    - c:\windows\system32\msfeedssync.exe [2008-05-27 07:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig?hl=en&amp;source=iglk
    uInternet Settings,ProxyOverride = *.local
    IE: Free YouTube to Mp3 Converter - c:\users\Melly\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
    IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
    TCP: DhcpNameServer = 10.0.0.2
    FF - ProfilePath - c:\users\Melly\AppData\Roaming\Mozilla\Firefox\Profiles\v0jkl18z.default\
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-27 16:37
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(3376)
    c:\users\Melly\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Juniper Networks\Common Files\dsNcService.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-27 16:45:10 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-27 23:45
    ComboFix2.txt 2011-07-27 03:08
    .
    Pre-Run: 161,262,227,456 bytes free
    Post-Run: 163,266,035,712 bytes free
    .
    Current=1 Default=1 Failed=0 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,11
    - - End Of File - - 7705874390E307CDBA29F490144877A9

    So when it came to removing Java and Adobe Reader I did not find the exact entries you referred to. I have these:

    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Media Player
    Adobe Reader 8.3.0
    Java(TM) 6 Update 27
    Java(TM) SE Runtime Environment 6 Update 1

    Can you advise which ones I'm to remove?

    I did ditch Viewpoint Media. There is no entry for Hijack This.

    There is also a Java add-on for v26 in addition 27, FWIW. Should I get rid of that also?

    I am not sure what you mean by :"You do not need to put a separate extension in Firefox when you update." I've let updates go automatically, I haven't done anything with extensions. Is that a setting somewhere?

    I'm showing 46% space free on the hard drive. D is just a partition for factory restore..the computer came that way. I am trying to get it cleaned up but it's a very slow process since a low priority.

    No idea what the SLTLINK\setup.exe is about. I know there's a pesky D-Link VOIP driver that I can't seem to get rid of, but may be completely unrelated.

    Thank you for the help!
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Keep Java(TM) 6 Update 27
    Uninstall Java(TM) SE Runtime Environment 6 Update 1

    Update the Adobe Reader to v10: Adobe Reader Update .
    ]Uninstall Adobe Reader 8.3.0

    The others aren't applicable.
    ==========================================
    The state of your system is shown here in OTM: Total Files Cleaned = 1,257.00 mb
    No system will run decently with that many excess files!
    ==========================================
    My last instructions were 2 weeks ago. I would have closed the thread after 5 days, but this one slipped by.
    The thread was started on 7/16
    The Combofixc span of "The Files Created is from 2011-07-27 to 2011-08-27
    This is a kind way of saying the original logs are now outdated.
    ========================================
    About this:
    1. You identify the driver as to what it goes to, then you take that process off of startu.
    2. HP does add a huge number of processes, including an auto-updater. Identify the processes as to what they do. IF you don't need them, uninstall them. None of the processes need to be on startup. Here's a start:
    3. I think this is the 'pesky driver' you're referring to:
    S3 SLVAD_simple;D-Link Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [2009-1-5 85656]
    Remove it from startup and I'll remove this entry.

    4. I can remove malware and from that point, you'll have a "clean running system." But unless you remove the junk you don't need/want/use, you will never have a 'well running system.'
  10. MellyJC

    MellyJC TS Rookie Topic Starter Posts: 51

    I know your last instructions were longer ago, and I appreciate your continued help despite my delays. I'm working 3 jobs and finding time when I'm actually at home and can work on this is a bit difficult.

    Feels like a stupid question, but I'm not sure where to access to remove things from Startup. I'm only aware of the ones in the "Startup" on the menu from the Start button..which only contains MS Office, Palm Hotsync, and Dropbox. And yes, that would be the driver I can't get rid of.

    Thanks..
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There's an excellent walk through using the msconfig utility to uncheck processes on the Startup Menu HERE
    There are screen shots to help you through. I do like to make a change in one place> when you have finished with the UAC section, you'll get this screen:
    [​IMG]
    Image courtesy of netsquirrel.

    Instead of checking Normal Startup like in the image, check Selective Startu instead.
    When you boot the first time after making changes, you'll get a nag message about being in a diagnostic mode. Close the message> Check 'don't show message again.' Stay in Selective Startup to keep the changes.
    ---------------------------------------
    The above should make it easier for you. The only things you must leave on the Startup Menu are the antivirus, firewall if using a 3rd party FW like Zone Alarm, the process for the touchpad if on a laptop and if you have Cisco/Pure Networks, usually 2 processes for it. All the rest is optional.

    Some entries are also started by a registry entry or a Service set to Automatic. Both of those can also be modified. Just keep in mind that it's better to have less running than more and you can use All Programs to access. Many users put the printer/scanner on Startup- they don't need to be> clicking on File> Print will give you access on a screen that will allow you to choose the features you want.

    Once you get the system cleaned up and running well, you'll have more time to enjoy it!

    Let me know once you have decided what to take off of Startup and I'll remove the entries starting from the registry and tell you how to change a Service to Manual. This does not uninstall anything- it just stops the process from starting on boot.

    Edit: Forgot to tell you to open Firefox> Tools> Addons> remove Java v6u23 and v6u26. Be sure you update the system to Java v6u27>> you do not have to add a separate Java entry to Firefox.
     
  12. MellyJC

    MellyJC TS Rookie Topic Starter Posts: 51

    Hm, well that didn't get very far. Searching for msconfig results in 3 png files and msconfig.exe.vir.

    It along with 3 other files are in a Quarantine folder by Combofix. comct332.ocx jusched.exe and searchindexer.exe. I assume the last explains why the search took so long as it told me the indexer was turned off.

    More looking shows that quarantine is the reason I'm getting errors about the HPupdate as well.

    I see you've got the SLTLINK stuff in there too - which looks to be related to the DLink VoIP adapter you were going to help me get rid of.

    So is there something I'm supposed to do with Combofix to restore msconfig, or do I just change the extension and move the file back to the regular system32 folder?
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I don't understand what you mean by this:
    -----------------------------------
    I also don't understand where you found this or what the comment means:
    comct332.ocx is a comct332 belonging to Microsoft Common Controls 3 Object Library from Microsoft Corporation
    jusched.exe is the executable that starts the Sun Java Update Scheduler
    searchindexer.exe is the Windows service that handles indexing of your files for Windows Search
    All 3 of these files are legitimate processes. Any of them can be stopped, one way by including the entry in the script to run through Combofix. But it would be a delete not a quarantine.
    When Combofix quarantines a file or folder, it send it to the Qoobox

    Nor does this make sense:
    What errors are you getting?
    -------------------
    Go back to your last Combofix log and look at the beginning:
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    c:\program files\hp\hp software update\HPWuSchd2.exe

    The file is there because I had this entry in the script that you ran through Combofix. Script shows:
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe which I removed as I try to discourage auto-updates. This was in anticipation of you unchecking what I listed. However, if you did not uncheck the entry on Startup then you will get an error on boot because I removed it.
    ================================
    If you can't bring up the utility as instructed, try this:
    Be default, Windows Vista does not have RUN function in START menu. You can access RUN in two ways:
    1. Press “Windows” and “R” keys simultaneously.
    [​IMG]
    Type msconfig in the Open box> OK
    or
    2. Customize the START menu, taking these steps:
    1. Right-click on the TASKBAR.
    2. Select “PROPERTIES“
    3. Check “Run command“.
    4. Click OK.
    So if you can clarify your comments, maybe I can guide you. All you have to do was bring up the msconfig utility. If you were trying to determine what an entry was for: look at the image below:
    [​IMG]

    Do you see the >>>> to the left of the word 'location? There is a line to the right> hold your left mouse button down on the line and you will see a <->> move to the right to expand the Command column. that will show you what the entry is for.
  14. MellyJC

    MellyJC TS Rookie Topic Starter Posts: 51

    I do have "Run" on my Start button but when I got the message that Windows couldn't find 'msconfig', I followed the instructions from the link you sent (to do a standard search) to try and find it. I got the 4 entries mentioned. The pngs appear to be icon images. The .vir is exactly as you describe - it seems I cannot access msconfig because Combofix moved it to quarantine (I make this assumption because its path is C/Qoobox/quarantine/C/Windows/System32.) When I opened up the containing folder, that's when I found the other legitimate processes appear to have been quarantined also. On further investigation, I found the "Combofix-quarantined-files.txt" which does specifically list msconfig, searchindexer, etc.:

    2011-08-27 23:19:08 . 2011-08-27 23:19:08 1,602 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_Viewpoint Manager Service.reg.dat
    2011-08-27 23:10:22 . 2011-08-27 23:10:22 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
    2011-07-27 03:07:35 . 2011-07-27 03:07:35 1,540 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Palm-DB-Tools_is1.reg.dat
    2011-07-27 03:07:35 . 2011-07-27 03:07:35 710 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
    2011-07-27 03:06:56 . 2011-07-27 03:06:56 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-HotSync.reg.dat
    2011-07-27 03:06:54 . 2011-07-27 03:06:54 79 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}.reg.dat
    2011-07-27 03:06:53 . 2011-07-27 03:06:53 79 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Aim6.reg.dat
    2011-07-27 01:56:25 . 2011-08-27 23:18:40 5,174 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
    2011-07-27 01:40:10 . 2011-08-27 23:10:22 175 ----a-w- C:\Qoobox\Quarantine\catchme.log
    2011-07-16 03:57:30 . 2011-07-16 03:57:32 388,608 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\HijackThis.exe.vir
    2009-03-19 08:07:25 . 2009-03-19 08:08:06 58 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLMSICA.ini.vir
    2009-01-06 04:59:05 . 2009-03-19 08:08:06 1,618 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\SLExtBU\ivr.scp.vir
    2009-01-06 04:59:05 . 2009-03-19 08:08:06 994 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\SLExtBU\Setup.scp.vir
    2009-01-06 04:59:05 . 2009-03-19 08:08:06 3,303 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\slscp.log.vir
    2009-01-06 04:57:53 . 2007-01-02 20:30:28 37,208 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\TLRecAgent.sys.vir
    2009-01-06 04:57:53 . 2007-01-02 20:39:40 248,664 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slvipgx.dll.vir
    2009-01-06 04:57:53 . 2007-01-02 20:40:56 150,368 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slvipco.dll.vir
    2009-01-06 04:57:53 . 2007-01-02 20:38:40 85,656 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slvad.sys.vir
    2009-01-06 04:57:53 . 2007-01-04 18:38:22 6,117 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slvad.inf.vir
    2009-01-06 04:57:53 . 2007-01-02 21:16:28 8,991 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slvad.cat.vir
    2009-01-06 04:57:53 . 2007-01-02 20:31:28 591,832 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.sys.vir
    2009-01-06 04:57:53 . 2007-01-04 18:38:06 8,758 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.inf.vir
    2009-01-06 04:57:53 . 2007-01-02 21:16:26 8,572 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\slusbvip.cat.vir
    2009-01-06 04:57:53 . 2007-01-03 22:58:32 2,280 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\Setup.scp.vir
    2009-01-06 04:57:53 . 2007-01-04 18:43:44 4,421,120 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\Setup.MSI.vir
    2009-01-06 04:57:53 . 2009-01-06 04:57:09 563,960 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\Setup.exe.vir
    2009-01-06 04:57:53 . 2007-01-04 18:39:46 9,395 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\readme.txt.vir
    2009-01-06 04:57:53 . 2006-07-04 18:42:22 1,841 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\Ivr.scp.vir
    2009-01-06 04:57:53 . 2005-04-05 23:01:30 46 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\{525D3~1\SLTLINK\autorun.inf.vir
    2008-08-15 19:02:32 . 2008-05-27 05:18:43 439,808 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\searchindexer.exe.vir
    2008-05-27 21:07:59 . 2008-01-19 07:33:16 227,840 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\msconfig.exe.vir

    2008-05-10 03:00:41 . 1996-07-19 18:19:08 74,752 ----a-w- C:\Qoobox\Quarantine\C\Windows\system\MSVCIRT.DLL.vir
    2008-05-10 03:00:41 . 1996-06-19 23:21:32 76,048 ----a-w- C:\Qoobox\Quarantine\C\Windows\system\olepro32.dll.vir
    2008-01-04 19:40:17 . 2007-01-04 21:38:08 24,652 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Viewpoint\Common\ViewpointService.exe.vir
    2008-01-04 19:39:28 . 2007-04-16 17:07:12 180,293 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll.vir
    2007-08-24 18:58:39 . 2007-04-07 09:56:47 132,760 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\jusched.exe.vir
    2007-05-08 23:24:20 . 2007-05-08 23:24:20 54,840 ----a-w- C:\Qoobox\Quarantine\C\Program Files\HP\HP Software Update\HPWuSchd2.exe.vir
    2000-12-06 20:01:52 . 2000-12-06 20:01:52 415,176 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\comct332.ocx.vir
    1970-01-01 00:00:00 . 2008-06-04 17:24:38 497,664 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL0003.tmp.vir
    1970-01-01 00:00:00 . 2008-06-10 16:34:51 500,736 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL0575.tmp.vir
    1970-01-01 00:00:00 . 2008-05-06 00:52:43 446,976 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL1064.tmp.vir
    1970-01-01 00:00:00 . 2008-05-07 22:30:03 449,024 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL1660.tmp.vir
    1970-01-01 00:00:00 . 2009-04-05 21:47:23 644,096 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL2540.tmp.vir
    1970-01-01 00:00:00 . 2008-05-07 23:06:12 448,512 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL2931.tmp.vir
    1970-01-01 00:00:00 . 2008-05-07 22:29:07 449,024 ----a-w- C:\Qoobox\Quarantine\C\Users\Melly\Documents\~WRL3727.tmp.vir


    I have no explanation for why the files in question are in quarantine when they are legitimate files and I have no explanation why they are in quarantine rather than deleted as you suggest they would have been if it was Combofix's doing. I've only used it as you've instructed me.

    The error I'm getting is Error 1720: Windows Installer Package script could not run. I can click ok or cancel and this message pops up multiple times before going away.


    If you are talking about unchecking it in the startup processes...I will do that..as soon as I can access msconfig to do so!


    This was the first thing I tried, but again, it was unsuccessful as it appears it was quarantined by Combofix. I am able to pull up msconfig and disable startup processes on my laptop just fine, so I don't think I will have trouble using it..once I can access it.

    So, it appears the next step is to get msconfig and the other legitimate processes out of the Qoobox quarantine and back to where they 'should' be so I can use them. How do I do that?
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did you notice the date in the Qoobox files for the entries you're concerned about?

    First:
    2008-05-27 21:07:59 . 2008-01-19 07:33:16 227,840 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\msconfig.exe.vir[/b]
    Second:
    2008-08-15 19:02:32 . 2008-05-27 05:18:43 439,808 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\searchindexer.exe.vir
    Third:
    2007-08-24 18:58:39 . 2007-04-07 09:56:47 132,760 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\jusched.exe.vir
    Fourth:
    2000-12-06 20:01:52 . 2000-12-06 20:01:52 415,176 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\comct332.ocx.vir1

    How can you even have a Qoobox on the system with files this old? When Combofix is uninstalled correctly< it removed the logs and the backups!
    ======================================
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      msconfig*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  16. MellyJC

    MellyJC TS Rookie Topic Starter Posts: 51

    Well, considering the Windows Updater is broken, I'm not sure I could expect them to be much newer..(Comct..not sure about. That file is clearly older than the computer itself.)

    I get it..my computer is old and most people would have replaced it by now..but I can't afford that. Was I supposed to uninstall it? I don't remember seeing that in your instructions.


    SystemLook 30.07.11 by jpshortstuff
    Log created at 18:58 on 16/09/2011 by Melly
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "msconfig*"
    C:\Qoobox\Quarantine\C\Windows\System32\msconfig.exe.vir --a---- 227840 bytes [21:07 27/05/2008] [07:33 19/01/2008] 7629E9BB2FF06EACA62580A2C1D4FE6A
    C:\Users\Melly\AppData\Roaming\Microsoft\Windows\Recent\msconfig.exe.vir.lnk --a---- 3923 bytes [17:40 05/09/2011] [17:40 05/09/2011] 10FB6658506EB97A2ABB82CDFD57AFC2
    C:\Users\Melly\AppData\Roaming\Microsoft\Windows\Recent\msconfig.png.lnk --a---- 3736 bytes [17:41 05/09/2011] [17:41 05/09/2011] E80E6A15374D6BF0A04AF5DC2D2CC5CD
    C:\Windows\System32\en-US\msconfig.exe.mui --a---- 28672 bytes [12:40 02/11/2006] [12:40 02/11/2006] 7DDB709C73A1EB0E27D3EE5DD60BC980
    C:\Windows\winsxs\x86_microsoft-windows-msconfig-exe.resources_31bf3856ad364e35_6.0.6000.16386_en-us_75e9bb24559d44f2\msconfig.exe.mui --a---- 28672 bytes [12:40 02/11/2006] [12:40 02/11/2006] 7DDB709C73A1EB0E27D3EE5DD60BC980
    C:\Windows\winsxs\x86_microsoft-windows-msconfig-exe_31bf3856ad364e35_6.0.6000.16386_none_d8437c87a0d4ffbd\msconfig.exe --a---- 222208 bytes [08:35 02/11/2006] [09:45 02/11/2006] 1BB128A09911A936E8EFC30C3F6C597C
    C:\Windows\winsxs\x86_microsoft-windows-msconfig-exe_31bf3856ad364e35_6.0.6001.18000_none_da7a3e839dc01091\msconfig.exe --a---- 227840 bytes [21:07 27/05/2008] [07:33 19/01/2008] 7629E9BB2FF06EACA62580A2C1D4FE6A

    -= EOF =-
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Let's clear some things up:

    I said the Qoobox entries were old> did not say nor did I infer that your computer was old and should be replaced. But I did make a reference to the great number of files that were cleaned up in OTM> And computers that have been used for several years require good maintenance if you want to be able to run the system at all.

    The only Qoobox entries from the Combofix run I had you do are these:
    And there is one from when you 'dabbled in the Registry' with no backup:
    The infected msconfig file was removed 3 years ago:
    2008-01-19 07:33:16 227,840 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\msconfig.exe.vir

    The instructions were as follows:
    Those of us who help in these forums do our best to warn users not to use Combofix unless instructed to by their helper> It is clear that you have run Combofix numerous times during the years and that with help or without it, it has not been uninstalled properly as that would have removed the logs and the backups the program created.

    I tried to bring your attention to the date for these files in the Qoobox:
    None of the dates above are from the current running of Combofix> and because you never uninstalled Combofix after all those runs< the files in the qiibox continued to show.
    ================================================
    If you want to continue, you can try running the SFC:
    System File Checker SFC
    1. Locate your Windows vista installation CD. If you don't have one, you'll need to locate a directory on your system that's named i386. This directory may be on a hidden partition on your hard drive.
    2. Go to Start> Run> type in SFC.EXE /SCANNOW (with a space between the SFC.EXE and the /SCANNOW).>
    3. Go to the top of the box and right click on SFC.EXE /SCANNOW and select "Run As Administrator")> enter
    4. The program may (or it may not) ask you for your Windows Vista installation CD - please insert it at the prompt. If it doesn't ask you for the CD this means that it wasn't necessary to replace any files.
    5. If SFC asks you for the CD, you can get Windows Update immediately after the scan is completed (Please note that there won't be any confirmation dialog - the program will just exit without telling you anything).
    6. If this doesn't repair the problem with your system other troubleshooting procedures are required.
  18. MellyJC

    MellyJC TS Rookie Topic Starter Posts: 51

    How do you know the dabbled registry had anything to do with Hijack This? As far as I knew, it didn't; it was a thread purely about HP update and the article wouldn't know whether I had HijackThis installed. (Not saying you're wrong, just surprised that that would be it).


    OK, how about some additional clarification:
    I have never even heard of Combofix before you told me to install it. I have no explanation for the dates on the log and didn't even know they were delete dates rather than install dates or something. IF I had Combofix on my computer at any time prior to you telling me to install it, I have no idea how it got there, and I certainly wasn't running it. I am by no means purposely ignoring your instructions and doing my best to follow them step for step, but I can't uninstall something that I didn't know existed.

    So how do the date entries get created? I did not even OWN this computer until about 2007 or so, and as you pointed out, one of the dates is from 2000...what explanation is there for these dates when I have in actuality never run the program before and didn't even own the computer then?


    How long does this SFC scan take? I run it and get a blip of a window on the screen and then nothing.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I don't think that you are interested in continuing support. You started this thread 2 and a half months ago. You are a bit combative to what I suggest. It appears that when you got the computer 4 years ago, it had not be cleaned up by the previous owner.

    The best thing for you to do at this point is to reformat and reinstall the operating system.

    You will find excellent reformat/reinstall instructions here:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

    I'm sorry I couldn't be of more help.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.